File CVE-2020-13596.patch of Package python-Django

commit dbce5a92224d1ced16c99ba871aeaa8ac4910a07
Author: Jon Dufresne <jon.dufresne@gmail.com>
Date:   Tue May 26 09:51:02 2020 +0200

    [2.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.

Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
ensures query parameters are correctly URL encoded.

Index: Django-1.8.19/django/contrib/admin/widgets.py
===================================================================
--- Django-1.8.19.orig/django/contrib/admin/widgets.py
+++ Django-1.8.19/django/contrib/admin/widgets.py
@@ -17,6 +17,7 @@ from django.utils.encoding import force_
 from django.utils.html import (
     escape, format_html, format_html_join, smart_urlquote,
 )
+from django.utils.http import urlencode
 from django.utils.safestring import mark_safe
 from django.utils.text import Truncator
 from django.utils.translation import ugettext as _
@@ -167,6 +168,7 @@ class ForeignKeyRawIdWidget(forms.TextIn
 
             params = self.url_parameters()
             if params:
+                related_url += '?' + urlencode(params)
                 url = '?' + '&amp;'.join('%s=%s' % (k, v) for k, v in params.items())
             else:
                 url = ''
Index: Django-1.8.19/tests/admin_widgets/models.py
===================================================================
--- Django-1.8.19.orig/tests/admin_widgets/models.py
+++ Django-1.8.19/tests/admin_widgets/models.py
@@ -31,6 +31,15 @@ class Band(models.Model):
 
 
 @python_2_unicode_compatible
+class UnsafeLimitChoicesTo(models.Model):
+    band = models.ForeignKey(
+        Band,
+        models.CASCADE,
+        limit_choices_to={'name': '"&><escapeme'},
+    )
+
+
+@python_2_unicode_compatible
 class Album(models.Model):
     band = models.ForeignKey(Band)
     name = models.CharField(max_length=100)
Index: Django-1.8.19/tests/admin_widgets/tests.py
===================================================================
--- Django-1.8.19.orig/tests/admin_widgets/tests.py
+++ Django-1.8.19/tests/admin_widgets/tests.py
@@ -487,6 +487,16 @@ class ForeignKeyRawIdWidgetTest(DjangoTe
             )
         )
 
+    def test_render_unsafe_limit_choices_to(self):
+        rel = models.UnsafeLimitChoicesTo._meta.get_field('band').remote_field
+        w = widgets.ForeignKeyRawIdWidget(rel, widget_admin_site)
+        self.assertHTMLEqual(
+            w.render('test', None),
+            '<input type="text" name="test" class="vForeignKeyRawIdAdminField">\n'
+            '<a href="/admin_widgets/band/?name=%22%26%3E%3Cescapeme&amp;_to_field=id" '
+            'class="related-lookup" id="lookup_id_test" title="Lookup"></a>'
+        )
+
 
 @override_settings(ROOT_URLCONF='admin_widgets.urls')
 class ManyToManyRawIdWidgetTest(DjangoTestCase):
openSUSE Build Service is sponsored by