Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before rendering clickable link.

3 files changed, 43 insertions, 1 deletions

diff --git a/docs/releases/1.11.21.txt b/docs/releases/1.11.21.txt
index 75d3599c2a..3da7a78612 100644
--- a/docs/releases/1.11.21.txt
+++ b/docs/releases/1.11.21.txt
@@ -4,4 +4,18 @@ Django 1.11.21 release notes
 
 *June 3, 2019*
 
-Django 1.11.21 fixes security issues in 1.11.20.
+Django 1.11.21 fixes a security issue in 1.11.20.
+
+CVE-2019-12308: AdminURLFieldWidget XSS
+---------------------------------------
+
+The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
+the provided value without validating it as a safe URL. Thus, an unvalidated
+value stored in the database, or a value provided as a URL query parameter
+payload, could result in an clickable JavaScript link.
+
+``AdminURLFieldWidget`` now validates the provided value using
+:class:`~django.core.validators.URLValidator` before displaying the clickable
+link. You may customise the validator by passing a ``validator_class`` kwarg to
+``AdminURLFieldWidget.__init__()``, e.g. when using
+:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
diff --git a/docs/releases/2.1.9.txt b/docs/releases/2.1.9.txt
index 765643759d..0022de965c 100644
--- a/docs/releases/2.1.9.txt
+++ b/docs/releases/2.1.9.txt
@@ -5,3 +5,17 @@ Django 2.1.9 release notes
 *June 3, 2019*
 
 Django 2.1.9 fixes security issues in 2.1.8.
+
+CVE-2019-12308: AdminURLFieldWidget XSS
+---------------------------------------
+
+The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
+the provided value without validating it as a safe URL. Thus, an unvalidated
+value stored in the database, or a value provided as a URL query parameter
+payload, could result in an clickable JavaScript link.
+
+``AdminURLFieldWidget`` now validates the provided value using
+:class:`~django.core.validators.URLValidator` before displaying the clickable
+link. You may customise the validator by passing a ``validator_class`` kwarg to
+``AdminURLFieldWidget.__init__()``, e.g. when using
+:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
diff --git a/docs/releases/2.2.2.txt b/docs/releases/2.2.2.txt
index f0b97c9f26..8c70d104d7 100644
--- a/docs/releases/2.2.2.txt
+++ b/docs/releases/2.2.2.txt
@@ -6,6 +6,20 @@ Django 2.2.2 release notes
 
 Django 2.2.2 fixes security issues and several bugs in 2.2.1.
 
+CVE-2019-12308: AdminURLFieldWidget XSS
+---------------------------------------
+
+The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
+the provided value without validating it as a safe URL. Thus, an unvalidated
+value stored in the database, or a value provided as a URL query parameter
+payload, could result in an clickable JavaScript link.
+
+``AdminURLFieldWidget`` now validates the provided value using
+:class:`~django.core.validators.URLValidator` before displaying the clickable
+link. You may customise the validator by passing a ``validator_class`` kwarg to
+``AdminURLFieldWidget.__init__()``, e.g. when using
+:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
+
 Bugfixes
 ========