From 09186a13d975de6d049f8b3e05484f66b01ece62 Mon Sep 17 00:00:00 2001 From: Carlton Gibson Date: Thu, 23 May 2019 12:06:34 +0200 Subject: [2.1.x] Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before rendering clickable link. Backport of deeba6d92006999fee9adfbd8be79bf0a59e8008 from master. --- docs/releases/1.11.21.txt | 16 +++++++++++++++- docs/releases/2.1.9.txt | 14 ++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) (limited to 'docs') diff --git a/docs/releases/1.11.21.txt b/docs/releases/1.11.21.txt index 75d3599c2a..3da7a78612 100644 --- a/docs/releases/1.11.21.txt +++ b/docs/releases/1.11.21.txt @@ -4,4 +4,18 @@ Django 1.11.21 release notes *June 3, 2019* -Django 1.11.21 fixes security issues in 1.11.20. +Django 1.11.21 fixes a security issue in 1.11.20. + +CVE-2019-12308: AdminURLFieldWidget XSS +--------------------------------------- + +The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed +the provided value without validating it as a safe URL. Thus, an unvalidated +value stored in the database, or a value provided as a URL query parameter +payload, could result in an clickable JavaScript link. + +``AdminURLFieldWidget`` now validates the provided value using +:class:`~django.core.validators.URLValidator` before displaying the clickable +link. You may customise the validator by passing a ``validator_class`` kwarg to +``AdminURLFieldWidget.__init__()``, e.g. when using +:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`. diff --git a/docs/releases/2.1.9.txt b/docs/releases/2.1.9.txt index 765643759d..0022de965c 100644 --- a/docs/releases/2.1.9.txt +++ b/docs/releases/2.1.9.txt @@ -5,3 +5,17 @@ Django 2.1.9 release notes *June 3, 2019* Django 2.1.9 fixes security issues in 2.1.8. + +CVE-2019-12308: AdminURLFieldWidget XSS +--------------------------------------- + +The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed +the provided value without validating it as a safe URL. Thus, an unvalidated +value stored in the database, or a value provided as a URL query parameter +payload, could result in an clickable JavaScript link. + +``AdminURLFieldWidget`` now validates the provided value using +:class:`~django.core.validators.URLValidator` before displaying the clickable +link. You may customise the validator by passing a ``validator_class`` kwarg to +``AdminURLFieldWidget.__init__()``, e.g. when using +:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`. -- cgit v1.3