Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Cloud:OpenStack:Newton
python-Django
CVE-2020-13596.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2020-13596.patch of Package python-Django
commit dbce5a92224d1ced16c99ba871aeaa8ac4910a07 Author: Jon Dufresne <jon.dufresne@gmail.com> Date: Tue May 26 09:51:02 2020 +0200 [2.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget. Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now ensures query parameters are correctly URL encoded. Index: Django-1.8.19/django/contrib/admin/widgets.py =================================================================== --- Django-1.8.19.orig/django/contrib/admin/widgets.py +++ Django-1.8.19/django/contrib/admin/widgets.py @@ -17,6 +17,7 @@ from django.utils.encoding import force_ from django.utils.html import ( escape, format_html, format_html_join, smart_urlquote, ) +from django.utils.http import urlencode from django.utils.safestring import mark_safe from django.utils.text import Truncator from django.utils.translation import ugettext as _ @@ -167,6 +168,7 @@ class ForeignKeyRawIdWidget(forms.TextIn params = self.url_parameters() if params: + related_url += '?' + urlencode(params) url = '?' + '&'.join('%s=%s' % (k, v) for k, v in params.items()) else: url = '' Index: Django-1.8.19/tests/admin_widgets/models.py =================================================================== --- Django-1.8.19.orig/tests/admin_widgets/models.py +++ Django-1.8.19/tests/admin_widgets/models.py @@ -31,6 +31,15 @@ class Band(models.Model): @python_2_unicode_compatible +class UnsafeLimitChoicesTo(models.Model): + band = models.ForeignKey( + Band, + models.CASCADE, + limit_choices_to={'name': '"&><escapeme'}, + ) + + +@python_2_unicode_compatible class Album(models.Model): band = models.ForeignKey(Band) name = models.CharField(max_length=100) Index: Django-1.8.19/tests/admin_widgets/tests.py =================================================================== --- Django-1.8.19.orig/tests/admin_widgets/tests.py +++ Django-1.8.19/tests/admin_widgets/tests.py @@ -487,6 +487,16 @@ class ForeignKeyRawIdWidgetTest(DjangoTe ) ) + def test_render_unsafe_limit_choices_to(self): + rel = models.UnsafeLimitChoicesTo._meta.get_field('band').remote_field + w = widgets.ForeignKeyRawIdWidget(rel, widget_admin_site) + self.assertHTMLEqual( + w.render('test', None), + '<input type="text" name="test" class="vForeignKeyRawIdAdminField">\n' + '<a href="/admin_widgets/band/?name=%22%26%3E%3Cescapeme&_to_field=id" ' + 'class="related-lookup" id="lookup_id_test" title="Lookup"></a>' + ) + @override_settings(ROOT_URLCONF='admin_widgets.urls') class ManyToManyRawIdWidgetTest(DjangoTestCase):
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor