File CVE-2020-13596-1.11.24.patch of Package python-Django1
commit dbce5a92224d1ced16c99ba871aeaa8ac4910a07
Author: Jon Dufresne <jon.dufresne@gmail.com>
Date: Tue May 26 09:51:02 2020 +0200
[2.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin ForeignKeyRawIdWidget.
Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL
encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now
ensures query parameters are correctly URL encoded.
Index: Django-1.11.23/django/contrib/admin/widgets.py
===================================================================
--- Django-1.11.23.orig/django/contrib/admin/widgets.py
+++ Django-1.11.23/django/contrib/admin/widgets.py
@@ -14,6 +14,7 @@ from django.urls.exceptions import NoRev
from django.utils import six
from django.utils.encoding import force_text
from django.utils.html import smart_urlquote
+from django.utils.http import urlencode
from django.utils.safestring import mark_safe
from django.utils.text import Truncator
from django.utils.translation import ugettext as _
@@ -149,7 +150,7 @@ class ForeignKeyRawIdWidget(forms.TextIn
params = self.url_parameters()
if params:
- related_url += '?' + '&'.join('%s=%s' % (k, v) for k, v in params.items())
+ related_url += '?' + urlencode(params)
context['related_url'] = mark_safe(related_url)
context['link_title'] = _('Lookup')
# The JavaScript code looks for this class.
Index: Django-1.11.23/tests/admin_widgets/models.py
===================================================================
--- Django-1.11.23.orig/tests/admin_widgets/models.py
+++ Django-1.11.23/tests/admin_widgets/models.py
@@ -33,6 +33,15 @@ class Band(models.Model):
@python_2_unicode_compatible
+class UnsafeLimitChoicesTo(models.Model):
+ band = models.ForeignKey(
+ Band,
+ models.CASCADE,
+ limit_choices_to={'name': '"&><escapeme'},
+ )
+
+
+@python_2_unicode_compatible
class Album(models.Model):
band = models.ForeignKey(Band, models.CASCADE)
name = models.CharField(max_length=100)
Index: Django-1.11.23/tests/admin_widgets/tests.py
===================================================================
--- Django-1.11.23.orig/tests/admin_widgets/tests.py
+++ Django-1.11.23/tests/admin_widgets/tests.py
@@ -482,6 +482,16 @@ class AdminFileWidgetTests(TestDataMixin
html=True,
)
+ def test_render_unsafe_limit_choices_to(self):
+ rel = models.UnsafeLimitChoicesTo._meta.get_field('band').remote_field
+ w = widgets.ForeignKeyRawIdWidget(rel, widget_admin_site)
+ self.assertHTMLEqual(
+ w.render('test', None),
+ '<input type="text" name="test" class="vForeignKeyRawIdAdminField">\n'
+ '<a href="/admin_widgets/band/?name=%22%26%3E%3Cescapeme&_to_field=id" '
+ 'class="related-lookup" id="lookup_id_test" title="Lookup"></a>'
+ )
+
@override_settings(ROOT_URLCONF='admin_widgets.urls')
class ForeignKeyRawIdWidgetTest(TestCase):