[1.9.x] Fixed XSS in admin's add/change related popup.

This is a security fix.
This commit is contained in:
Tim Graham 2016-07-06 15:41:06 -04:00
parent ab2f5f764a
commit d03bf6fe4e
6 changed files with 41 additions and 8 deletions

View File

@ -120,7 +120,7 @@
var selects = django.jQuery(selectsSelector); var selects = django.jQuery(selectsSelector);
selects.find('option').each(function() { selects.find('option').each(function() {
if (this.value === objId) { if (this.value === objId) {
this.innerHTML = newRepr; this.textContent = newRepr;
this.value = newId; this.value = newId;
} }
}); });

View File

@ -631,13 +631,13 @@ TECHNICAL_500_TEMPLATE = ("""
var s = link.getElementsByTagName('span')[0]; var s = link.getElementsByTagName('span')[0];
var uarr = String.fromCharCode(0x25b6); var uarr = String.fromCharCode(0x25b6);
var darr = String.fromCharCode(0x25bc); var darr = String.fromCharCode(0x25bc);
s.innerHTML = s.innerHTML == uarr ? darr : uarr; s.textContent = s.textContent == uarr ? darr : uarr;
return false; return false;
} }
function switchPastebinFriendly(link) { function switchPastebinFriendly(link) {
s1 = "Switch to copy-and-paste view"; s1 = "Switch to copy-and-paste view";
s2 = "Switch back to interactive view"; s2 = "Switch back to interactive view";
link.innerHTML = link.innerHTML.trim() == s1 ? s2: s1; link.textContent = link.textContent.trim() == s1 ? s2: s1;
toggle('browserTraceback', 'pastebinTraceback'); toggle('browserTraceback', 'pastebinTraceback');
return false; return false;
} }

View File

@ -2,9 +2,20 @@
Django 1.8.14 release notes Django 1.8.14 release notes
=========================== ===========================
*Under development* *July 18, 2016*
Django 1.8.14 fixes several bugs in 1.8.13. Django 1.8.14 fixes a security issue and a bug in 1.8.13.
XSS in admin's add/change related popup
=======================================
Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
admin's add/change related popup. ``Element.textContent`` is now used to
prevent execution of the data.
The debug view also used ``innerHTML``. Although a security issue wasn't
identified there, out of an abundance of caution it's also updated to use
``textContent``.
Bugfixes Bugfixes
======== ========

View File

@ -2,9 +2,20 @@
Django 1.9.8 release notes Django 1.9.8 release notes
========================== ==========================
*Under development* *July 18, 2016*
Django 1.9.8 fixes several bugs in 1.9.7. Django 1.9.8 fixes a security issue and several bugs in 1.9.7.
XSS in admin's add/change related popup
=======================================
Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
admin's add/change related popup. ``Element.textContent`` is now used to
prevent execution of the data.
The debug view also used ``innerHTML``. Although a security issue wasn't
identified there, out of an abundance of caution it's also updated to use
``textContent``.
Bugfixes Bugfixes
======== ========

View File

@ -17,6 +17,7 @@ from django.db import models
from django.utils.encoding import python_2_unicode_compatible from django.utils.encoding import python_2_unicode_compatible
@python_2_unicode_compatible
class Section(models.Model): class Section(models.Model):
""" """
A simple section that links to articles, to test linking to related items A simple section that links to articles, to test linking to related items
@ -24,6 +25,9 @@ class Section(models.Model):
""" """
name = models.CharField(max_length=100) name = models.CharField(max_length=100)
def __str__(self):
return self.name
@property @property
def name_property(self): def name_property(self):
""" """

View File

@ -4625,8 +4625,10 @@ class SeleniumAdminViewsFirefoxTests(AdminSeleniumWebDriverTestCase):
""" """
list_editable foreign keys have add/change popups. list_editable foreign keys have add/change popups.
""" """
from selenium.webdriver.support.ui import Select
s1 = Section.objects.create(name='Test section') s1 = Section.objects.create(name='Test section')
Article.objects.create( Article.objects.create(
title='foo',
content='<p>Middle content</p>', content='<p>Middle content</p>',
date=datetime.datetime(2008, 3, 18, 11, 54, 58), date=datetime.datetime(2008, 3, 18, 11, 54, 58),
section=s1, section=s1,
@ -4638,8 +4640,13 @@ class SeleniumAdminViewsFirefoxTests(AdminSeleniumWebDriverTestCase):
self.wait_for_popup() self.wait_for_popup()
self.selenium.switch_to.window(self.selenium.window_handles[-1]) self.selenium.switch_to.window(self.selenium.window_handles[-1])
self.wait_for_text('#content h1', 'Change section') self.wait_for_text('#content h1', 'Change section')
self.selenium.close() name_input = self.selenium.find_element_by_id('id_name')
name_input.clear()
name_input.send_keys('<i>edited section</i>')
self.selenium.find_element_by_xpath('//input[@value="Save"]').click()
self.selenium.switch_to.window(self.selenium.window_handles[0]) self.selenium.switch_to.window(self.selenium.window_handles[0])
select = Select(self.selenium.find_element_by_id('id_form-0-section'))
self.assertEqual(select.first_selected_option.text, '<i>edited section</i>')
# Add popup # Add popup
self.selenium.find_element_by_id('add_id_form-0-section').click() self.selenium.find_element_by_id('add_id_form-0-section').click()