[1.8.x] Refs #24461 -- Added test/release notes for XSS issue in ModelAdmin.readonly_fields
This issue was fixed by refs #24464.
This commit is contained in:
parent
980d604bf2
commit
35d68e8e76
|
@ -2,9 +2,23 @@
|
||||||
Django 1.7.6 release notes
|
Django 1.7.6 release notes
|
||||||
==========================
|
==========================
|
||||||
|
|
||||||
*Under Development*
|
*March 9, 2015*
|
||||||
|
|
||||||
Django 1.7.6 fixes several bugs in 1.7.5.
|
Django 1.7.6 fixes a security issue and several bugs in 1.7.5.
|
||||||
|
|
||||||
|
Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields``
|
||||||
|
========================================================================
|
||||||
|
|
||||||
|
The :attr:`ModelAdmin.readonly_fields
|
||||||
|
<django.contrib.admin.ModelAdmin.readonly_fields>` attribute in the Django
|
||||||
|
admin allows displaying model fields and model attributes. While the former
|
||||||
|
were correctly escaped, the latter were not. Thus untrusted content could be
|
||||||
|
injected into the admin, presenting an exploitation vector for XSS attacks.
|
||||||
|
|
||||||
|
In this vulnerability, every model attribute used in ``readonly_fields`` that
|
||||||
|
is not an actual model field (e.g. a :class:`property`) will **fail to be
|
||||||
|
escaped** even if that attribute is not marked as safe. In this release,
|
||||||
|
autoescaping is now correctly applied.
|
||||||
|
|
||||||
Bugfixes
|
Bugfixes
|
||||||
========
|
========
|
||||||
|
|
|
@ -871,7 +871,7 @@ site = admin.AdminSite(name="admin")
|
||||||
site.site_url = '/my-site-url/'
|
site.site_url = '/my-site-url/'
|
||||||
site.register(Article, ArticleAdmin)
|
site.register(Article, ArticleAdmin)
|
||||||
site.register(CustomArticle, CustomArticleAdmin)
|
site.register(CustomArticle, CustomArticleAdmin)
|
||||||
site.register(Section, save_as=True, inlines=[ArticleInline])
|
site.register(Section, save_as=True, inlines=[ArticleInline], readonly_fields=['name_property'])
|
||||||
site.register(ModelWithStringPrimaryKey)
|
site.register(ModelWithStringPrimaryKey)
|
||||||
site.register(Color)
|
site.register(Color)
|
||||||
site.register(Thing, ThingAdmin)
|
site.register(Thing, ThingAdmin)
|
||||||
|
|
|
@ -22,6 +22,13 @@ class Section(models.Model):
|
||||||
"""
|
"""
|
||||||
name = models.CharField(max_length=100)
|
name = models.CharField(max_length=100)
|
||||||
|
|
||||||
|
@property
|
||||||
|
def name_property(self):
|
||||||
|
"""
|
||||||
|
A property that simply returns the name. Used to test #24461
|
||||||
|
"""
|
||||||
|
return self.name
|
||||||
|
|
||||||
|
|
||||||
@python_2_unicode_compatible
|
@python_2_unicode_compatible
|
||||||
class Article(models.Model):
|
class Article(models.Model):
|
||||||
|
|
|
@ -4114,6 +4114,15 @@ class ReadonlyTest(TestCase):
|
||||||
self.assertContains(response, '<label for="id_public">Overridden public label:</label>', html=True)
|
self.assertContains(response, '<label for="id_public">Overridden public label:</label>', html=True)
|
||||||
self.assertNotContains(response, "Some help text for the date (with unicode ŠĐĆŽćžšđ)")
|
self.assertNotContains(response, "Some help text for the date (with unicode ŠĐĆŽćžšđ)")
|
||||||
|
|
||||||
|
def test_correct_autoescaping(self):
|
||||||
|
"""
|
||||||
|
Make sure that non-field readonly elements are properly autoescaped (#24461)
|
||||||
|
"""
|
||||||
|
section = Section.objects.create(name='<a>evil</a>')
|
||||||
|
response = self.client.get(reverse('admin:admin_views_section_change', args=(section.pk,)))
|
||||||
|
self.assertNotContains(response, "<a>evil</a>", status_code=200)
|
||||||
|
self.assertContains(response, "<a>evil</a>", status_code=200)
|
||||||
|
|
||||||
|
|
||||||
@override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',),
|
@override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',),
|
||||||
ROOT_URLCONF="admin_views.urls")
|
ROOT_URLCONF="admin_views.urls")
|
||||||
|
|
Loading…
Reference in New Issue