diff options
| author | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-05-23 12:06:34 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-06-03 11:37:28 +0200 |
| commit | afddabf8428ddc89a332f7a78d0d21eaf2b5a673 (patch) | |
| tree | 3c989bb92a4955dbc8e64c5298d07b6f099304f4 /django | |
| parent | 4a1d25b39f8265178f72c90a1bd5fce583babd54 (diff) | |
[2.2.x] Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before rendering clickable link.
Backport of deeba6d92006999fee9adfbd8be79bf0a59e8008 from master.
Diffstat (limited to 'django')
| -rw-r--r-- | django/contrib/admin/templates/admin/widgets/url.html | 2 | ||||
| -rw-r--r-- | django/contrib/admin/widgets.py | 10 |
2 files changed, 10 insertions, 2 deletions
diff --git a/django/contrib/admin/templates/admin/widgets/url.html b/django/contrib/admin/templates/admin/widgets/url.html index ee1a66a35f..69dc401ba1 100644 --- a/django/contrib/admin/templates/admin/widgets/url.html +++ b/django/contrib/admin/templates/admin/widgets/url.html @@ -1 +1 @@ -{% if widget.value %}<p class="url">{{ current_label }} <a href="{{ widget.href }}">{{ widget.value }}</a><br>{{ change_label }} {% endif %}{% include "django/forms/widgets/input.html" %}{% if widget.value %}</p>{% endif %} +{% if url_valid %}<p class="url">{{ current_label }} <a href="{{ widget.href }}">{{ widget.value }}</a><br>{{ change_label }} {% endif %}{% include "django/forms/widgets/input.html" %}{% if url_valid %}</p>{% endif %} diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py index 81dbcaf236..aa4b613894 100644 --- a/django/contrib/admin/widgets.py +++ b/django/contrib/admin/widgets.py @@ -7,6 +7,7 @@ import json from django import forms from django.conf import settings from django.core.exceptions import ValidationError +from django.core.validators import URLValidator from django.db.models.deletion import CASCADE from django.urls import reverse from django.urls.exceptions import NoReverseMatch @@ -330,14 +331,21 @@ class AdminEmailInputWidget(forms.EmailInput): class AdminURLFieldWidget(forms.URLInput): template_name = 'admin/widgets/url.html' - def __init__(self, attrs=None): + def __init__(self, attrs=None, validator_class=URLValidator): super().__init__(attrs={'class': 'vURLField', **(attrs or {})}) + self.validator = validator_class() def get_context(self, name, value, attrs): + try: + self.validator(value if value else '') + url_valid = True + except ValidationError: + url_valid = False context = super().get_context(name, value, attrs) context['current_label'] = _('Currently:') context['change_label'] = _('Change:') context['widget']['href'] = smart_urlquote(context['widget']['value']) if value else '' + context['url_valid'] = url_valid return context |