From d03bf6fe4e9bf5b07de62c1a271c4b41a7d3d158 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Wed, 6 Jul 2016 15:41:06 -0400 Subject: [PATCH] [1.9.x] Fixed XSS in admin's add/change related popup. This is a security fix. --- .../static/admin/js/admin/RelatedObjectLookups.js | 2 +- django/views/debug.py | 4 ++-- docs/releases/1.8.14.txt | 15 +++++++++++++-- docs/releases/1.9.8.txt | 15 +++++++++++++-- tests/admin_views/models.py | 4 ++++ tests/admin_views/tests.py | 9 ++++++++- 6 files changed, 41 insertions(+), 8 deletions(-) diff --git a/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js b/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js index 4ac9baa8ee..76cc952239 100644 --- a/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js +++ b/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js @@ -120,7 +120,7 @@ var selects = django.jQuery(selectsSelector); selects.find('option').each(function() { if (this.value === objId) { - this.innerHTML = newRepr; + this.textContent = newRepr; this.value = newId; } }); diff --git a/django/views/debug.py b/django/views/debug.py index 7cff3eface..2629d345eb 100644 --- a/django/views/debug.py +++ b/django/views/debug.py @@ -631,13 +631,13 @@ TECHNICAL_500_TEMPLATE = (""" var s = link.getElementsByTagName('span')[0]; var uarr = String.fromCharCode(0x25b6); var darr = String.fromCharCode(0x25bc); - s.innerHTML = s.innerHTML == uarr ? darr : uarr; + s.textContent = s.textContent == uarr ? darr : uarr; return false; } function switchPastebinFriendly(link) { s1 = "Switch to copy-and-paste view"; s2 = "Switch back to interactive view"; - link.innerHTML = link.innerHTML.trim() == s1 ? s2: s1; + link.textContent = link.textContent.trim() == s1 ? s2: s1; toggle('browserTraceback', 'pastebinTraceback'); return false; } diff --git a/docs/releases/1.8.14.txt b/docs/releases/1.8.14.txt index 6311172abc..31a304f7c0 100644 --- a/docs/releases/1.8.14.txt +++ b/docs/releases/1.8.14.txt @@ -2,9 +2,20 @@ Django 1.8.14 release notes =========================== -*Under development* +*July 18, 2016* -Django 1.8.14 fixes several bugs in 1.8.13. +Django 1.8.14 fixes a security issue and a bug in 1.8.13. + +XSS in admin's add/change related popup +======================================= + +Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the +admin's add/change related popup. ``Element.textContent`` is now used to +prevent execution of the data. + +The debug view also used ``innerHTML``. Although a security issue wasn't +identified there, out of an abundance of caution it's also updated to use +``textContent``. Bugfixes ======== diff --git a/docs/releases/1.9.8.txt b/docs/releases/1.9.8.txt index 8db5c3d01f..08ba5ae08f 100644 --- a/docs/releases/1.9.8.txt +++ b/docs/releases/1.9.8.txt @@ -2,9 +2,20 @@ Django 1.9.8 release notes ========================== -*Under development* +*July 18, 2016* -Django 1.9.8 fixes several bugs in 1.9.7. +Django 1.9.8 fixes a security issue and several bugs in 1.9.7. + +XSS in admin's add/change related popup +======================================= + +Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the +admin's add/change related popup. ``Element.textContent`` is now used to +prevent execution of the data. + +The debug view also used ``innerHTML``. Although a security issue wasn't +identified there, out of an abundance of caution it's also updated to use +``textContent``. Bugfixes ======== diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py index aa91eef57e..f1c77e2872 100644 --- a/tests/admin_views/models.py +++ b/tests/admin_views/models.py @@ -17,6 +17,7 @@ from django.db import models from django.utils.encoding import python_2_unicode_compatible +@python_2_unicode_compatible class Section(models.Model): """ A simple section that links to articles, to test linking to related items @@ -24,6 +25,9 @@ class Section(models.Model): """ name = models.CharField(max_length=100) + def __str__(self): + return self.name + @property def name_property(self): """ diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py index 31e4326ff7..bf419678a0 100644 --- a/tests/admin_views/tests.py +++ b/tests/admin_views/tests.py @@ -4625,8 +4625,10 @@ class SeleniumAdminViewsFirefoxTests(AdminSeleniumWebDriverTestCase): """ list_editable foreign keys have add/change popups. """ + from selenium.webdriver.support.ui import Select s1 = Section.objects.create(name='Test section') Article.objects.create( + title='foo', content='

Middle content

', date=datetime.datetime(2008, 3, 18, 11, 54, 58), section=s1, @@ -4638,8 +4640,13 @@ class SeleniumAdminViewsFirefoxTests(AdminSeleniumWebDriverTestCase): self.wait_for_popup() self.selenium.switch_to.window(self.selenium.window_handles[-1]) self.wait_for_text('#content h1', 'Change section') - self.selenium.close() + name_input = self.selenium.find_element_by_id('id_name') + name_input.clear() + name_input.send_keys('edited section') + self.selenium.find_element_by_xpath('//input[@value="Save"]').click() self.selenium.switch_to.window(self.selenium.window_handles[0]) + select = Select(self.selenium.find_element_by_id('id_form-0-section')) + self.assertEqual(select.first_selected_option.text, 'edited section') # Add popup self.selenium.find_element_by_id('add_id_form-0-section').click()