diff options
| author | Baptiste Mispelon <bmispelon@gmail.com> | 2015-03-08 11:50:32 +0100 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-03-09 10:17:54 -0400 |
| commit | 2654e1b93923bac55f12b4e66c5e39b16695ace5 (patch) | |
| tree | 339c5e65ac69a07dd58bee6e4831a23bc87e7500 /docs | |
| parent | 5a3b53112193cc74d2043e09894dd29a763b1105 (diff) | |
[1.7.x] Fixed #24461 -- Fixed XSS issue in ModelAdmin.readonly_fields
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.7.6.txt | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/docs/releases/1.7.6.txt b/docs/releases/1.7.6.txt index af0907816d..7f54da1474 100644 --- a/docs/releases/1.7.6.txt +++ b/docs/releases/1.7.6.txt @@ -2,9 +2,23 @@ Django 1.7.6 release notes ========================== -*Under Development* +*March 9, 2015* -Django 1.7.6 fixes several bugs in 1.7.5. +Django 1.7.6 fixes a security issue and several bugs in 1.7.5. + +Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields`` +======================================================================== + +The :attr:`ModelAdmin.readonly_fields +<django.contrib.admin.ModelAdmin.readonly_fields>` attribute in the Django +admin allows displaying model fields and model attributes. While the former +were correctly escaped, the latter were not. Thus untrusted content could be +injected into the admin, presenting an exploitation vector for XSS attacks. + +In this vulnerability, every model attribute used in ``readonly_fields`` that +is not an actual model field (e.g. a :class:`property`) will **fail to be +escaped** even if that attribute is not marked as safe. In this release, +autoescaping is now correctly applied. Bugfixes ======== |
