diff --git a/docs/releases/1.7.6.txt b/docs/releases/1.7.6.txt index af0907816d3..7f54da1474d 100644 --- a/docs/releases/1.7.6.txt +++ b/docs/releases/1.7.6.txt @@ -2,9 +2,23 @@ Django 1.7.6 release notes ========================== -*Under Development* +*March 9, 2015* -Django 1.7.6 fixes several bugs in 1.7.5. +Django 1.7.6 fixes a security issue and several bugs in 1.7.5. + +Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields`` +======================================================================== + +The :attr:`ModelAdmin.readonly_fields +` attribute in the Django +admin allows displaying model fields and model attributes. While the former +were correctly escaped, the latter were not. Thus untrusted content could be +injected into the admin, presenting an exploitation vector for XSS attacks. + +In this vulnerability, every model attribute used in ``readonly_fields`` that +is not an actual model field (e.g. a :class:`property`) will **fail to be +escaped** even if that attribute is not marked as safe. In this release, +autoescaping is now correctly applied. Bugfixes ======== diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py index 263008aeb53..d070e5a55e8 100644 --- a/tests/admin_views/admin.py +++ b/tests/admin_views/admin.py @@ -870,7 +870,7 @@ site = admin.AdminSite(name="admin") site.site_url = '/my-site-url/' site.register(Article, ArticleAdmin) site.register(CustomArticle, CustomArticleAdmin) -site.register(Section, save_as=True, inlines=[ArticleInline]) +site.register(Section, save_as=True, inlines=[ArticleInline], readonly_fields=['name_property']) site.register(ModelWithStringPrimaryKey) site.register(Color) site.register(Thing, ThingAdmin) diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py index 07f6864cf5d..845d3d9ee26 100644 --- a/tests/admin_views/models.py +++ b/tests/admin_views/models.py @@ -22,6 +22,13 @@ class Section(models.Model): """ name = models.CharField(max_length=100) + @property + def name_property(self): + """ + A property that simply returns the name. Used to test #24461 + """ + return self.name + @python_2_unicode_compatible class Article(models.Model): diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py index 391122ef073..44490f7a7d2 100644 --- a/tests/admin_views/tests.py +++ b/tests/admin_views/tests.py @@ -4644,6 +4644,15 @@ class ReadonlyTest(TestCase): self.assertContains(response, '', html=True) self.assertNotContains(response, "Some help text for the date (with unicode ŠĐĆŽćžšđ)") + def test_correct_autoescaping(self): + """ + Make sure that non-field readonly elements are properly autoescaped (#24461) + """ + section = Section.objects.create(name='evil') + response = self.client.get(reverse('admin:admin_views_section_change', args=(section.pk,))) + self.assertNotContains(response, "evil", status_code=200) + self.assertContains(response, "<a>evil</a>", status_code=200) + @override_settings(PASSWORD_HASHERS=['django.contrib.auth.hashers.SHA1PasswordHasher'], ROOT_URLCONF="admin_views.urls")