File CVE-2019-12308.patch of Package python-Django.35578
From deeba6d92006999fee9adfbd8be79bf0a59e8008 Mon Sep 17 00:00:00 2001
From: Carlton Gibson <carlton.gibson@noumenal.es>
Date: Thu, 23 May 2019 12:06:34 +0200
Subject: [PATCH] Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL
before rendering clickable link.
---
.../admin/templates/admin/widgets/url.html | 2 +-
django/contrib/admin/widgets.py | 10 +++++++-
docs/releases/1.11.21.txt | 16 ++++++++++++-
docs/releases/2.1.9.txt | 14 +++++++++++
docs/releases/2.2.2.txt | 14 +++++++++++
tests/admin_widgets/tests.py | 23 ++++++++++++-------
6 files changed, 68 insertions(+), 11 deletions(-)
Index: Django-2.0.7/django/contrib/admin/templates/admin/widgets/url.html
===================================================================
--- Django-2.0.7.orig/django/contrib/admin/templates/admin/widgets/url.html
+++ Django-2.0.7/django/contrib/admin/templates/admin/widgets/url.html
@@ -1 +1 @@
-{% if widget.value %}<p class="url">{{ current_label }} <a href="{{ widget.href }}">{{ widget.value }}</a><br />{{ change_label }} {% endif %}{% include "django/forms/widgets/input.html" %}{% if widget.value %}</p>{% endif %}
+{% if url_valid %}<p class="url">{{ current_label }} <a href="{{ widget.href }}">{{ widget.value }}</a><br />{{ change_label }} {% endif %}{% include "django/forms/widgets/input.html" %}{% if url_valid %}</p>{% endif %}
Index: Django-2.0.7/django/contrib/admin/widgets.py
===================================================================
--- Django-2.0.7.orig/django/contrib/admin/widgets.py
+++ Django-2.0.7/django/contrib/admin/widgets.py
@@ -7,6 +7,7 @@ import json
from django import forms
from django.conf import settings
from django.core.exceptions import ValidationError
+from django.core.validators import URLValidator
from django.db.models.deletion import CASCADE
from django.urls import reverse
from django.urls.exceptions import NoReverseMatch
@@ -354,17 +355,24 @@ class AdminEmailInputWidget(forms.EmailI
class AdminURLFieldWidget(forms.URLInput):
template_name = 'admin/widgets/url.html'
- def __init__(self, attrs=None):
+ def __init__(self, attrs=None, validator_class=URLValidator):
final_attrs = {'class': 'vURLField'}
if attrs is not None:
final_attrs.update(attrs)
super().__init__(attrs=final_attrs)
+ self.validator = validator_class()
def get_context(self, name, value, attrs):
+ try:
+ self.validator(value if value else '')
+ url_valid = True
+ except ValidationError:
+ url_valid = False
context = super().get_context(name, value, attrs)
context['current_label'] = _('Currently:')
context['change_label'] = _('Change:')
context['widget']['href'] = smart_urlquote(context['widget']['value']) if value else ''
+ context['url_valid'] = url_valid
return context
Index: Django-2.0.7/tests/admin_widgets/tests.py
===================================================================
--- Django-2.0.7.orig/tests/admin_widgets/tests.py
+++ Django-2.0.7/tests/admin_widgets/tests.py
@@ -333,6 +333,13 @@ class AdminSplitDateTimeWidgetTest(Simpl
class AdminURLWidgetTest(SimpleTestCase):
+ def test_get_context_validates_url(self):
+ w = widgets.AdminURLFieldWidget()
+ for invalid in ['', '/not/a/full/url/', 'javascript:alert("Danger XSS!")']:
+ with self.subTest(url=invalid):
+ self.assertFalse(w.get_context('name', invalid, {})['url_valid'])
+ self.assertTrue(w.get_context('name', 'http://example.com', {})['url_valid'])
+
def test_render(self):
w = widgets.AdminURLFieldWidget()
self.assertHTMLEqual(
@@ -366,31 +373,31 @@ class AdminURLWidgetTest(SimpleTestCase)
VALUE_RE = re.compile('value="([^"]+)"')
TEXT_RE = re.compile('<a[^>]+>([^>]+)</a>')
w = widgets.AdminURLFieldWidget()
- output = w.render('test', 'http://example.com/<sometag>some text</sometag>')
+ output = w.render('test', 'http://example.com/<sometag>some-text</sometag>')
self.assertEqual(
HREF_RE.search(output).groups()[0],
- 'http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E',
+ 'http://example.com/%3Csometag%3Esome-text%3C/sometag%3E',
)
self.assertEqual(
TEXT_RE.search(output).groups()[0],
- 'http://example.com/<sometag>some text</sometag>',
+ 'http://example.com/<sometag>some-text</sometag>',
)
self.assertEqual(
VALUE_RE.search(output).groups()[0],
- 'http://example.com/<sometag>some text</sometag>',
+ 'http://example.com/<sometag>some-text</sometag>',
)
- output = w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>')
+ output = w.render('test', 'http://example-äüö.com/<sometag>some-text</sometag>')
self.assertEqual(
HREF_RE.search(output).groups()[0],
- 'http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E',
+ 'http://xn--example--7za4pnc.com/%3Csometag%3Esome-text%3C/sometag%3E',
)
self.assertEqual(
TEXT_RE.search(output).groups()[0],
- 'http://example-äüö.com/<sometag>some text</sometag>',
+ 'http://example-äüö.com/<sometag>some-text</sometag>',
)
self.assertEqual(
VALUE_RE.search(output).groups()[0],
- 'http://example-äüö.com/<sometag>some text</sometag>',
+ 'http://example-äüö.com/<sometag>some-text</sometag>',
)
output = w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"')
self.assertEqual(
