diff options
| -rw-r--r-- | docs/releases/1.7.6.txt | 18 | ||||
| -rw-r--r-- | tests/admin_views/admin.py | 2 | ||||
| -rw-r--r-- | tests/admin_views/models.py | 7 | ||||
| -rw-r--r-- | tests/admin_views/tests.py | 9 |
4 files changed, 33 insertions, 3 deletions
diff --git a/docs/releases/1.7.6.txt b/docs/releases/1.7.6.txt index af0907816d..7f54da1474 100644 --- a/docs/releases/1.7.6.txt +++ b/docs/releases/1.7.6.txt @@ -2,9 +2,23 @@ Django 1.7.6 release notes ========================== -*Under Development* +*March 9, 2015* -Django 1.7.6 fixes several bugs in 1.7.5. +Django 1.7.6 fixes a security issue and several bugs in 1.7.5. + +Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields`` +======================================================================== + +The :attr:`ModelAdmin.readonly_fields +<django.contrib.admin.ModelAdmin.readonly_fields>` attribute in the Django +admin allows displaying model fields and model attributes. While the former +were correctly escaped, the latter were not. Thus untrusted content could be +injected into the admin, presenting an exploitation vector for XSS attacks. + +In this vulnerability, every model attribute used in ``readonly_fields`` that +is not an actual model field (e.g. a :class:`property`) will **fail to be +escaped** even if that attribute is not marked as safe. In this release, +autoescaping is now correctly applied. Bugfixes ======== diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py index d7d4be86bc..158f42ea67 100644 --- a/tests/admin_views/admin.py +++ b/tests/admin_views/admin.py @@ -871,7 +871,7 @@ site = admin.AdminSite(name="admin") site.site_url = '/my-site-url/' site.register(Article, ArticleAdmin) site.register(CustomArticle, CustomArticleAdmin) -site.register(Section, save_as=True, inlines=[ArticleInline]) +site.register(Section, save_as=True, inlines=[ArticleInline], readonly_fields=['name_property']) site.register(ModelWithStringPrimaryKey) site.register(Color) site.register(Thing, ThingAdmin) diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py index 07f6864cf5..845d3d9ee2 100644 --- a/tests/admin_views/models.py +++ b/tests/admin_views/models.py @@ -22,6 +22,13 @@ class Section(models.Model): """ name = models.CharField(max_length=100) + @property + def name_property(self): + """ + A property that simply returns the name. Used to test #24461 + """ + return self.name + @python_2_unicode_compatible class Article(models.Model): diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py index 6425cb21df..925d8e6090 100644 --- a/tests/admin_views/tests.py +++ b/tests/admin_views/tests.py @@ -4114,6 +4114,15 @@ class ReadonlyTest(TestCase): self.assertContains(response, '<label for="id_public">Overridden public label:</label>', html=True) self.assertNotContains(response, "Some help text for the date (with unicode ŠĐĆŽćžšđ)") + def test_correct_autoescaping(self): + """ + Make sure that non-field readonly elements are properly autoescaped (#24461) + """ + section = Section.objects.create(name='<a>evil</a>') + response = self.client.get(reverse('admin:admin_views_section_change', args=(section.pk,))) + self.assertNotContains(response, "<a>evil</a>", status_code=200) + self.assertContains(response, "<a>evil</a>", status_code=200) + @override_settings(PASSWORD_HASHERS=('django.contrib.auth.hashers.SHA1PasswordHasher',), ROOT_URLCONF="admin_views.urls") |