Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP1
python-Django
CVE-2019-12308.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-12308.patch of Package python-Django
From deeba6d92006999fee9adfbd8be79bf0a59e8008 Mon Sep 17 00:00:00 2001 From: Carlton Gibson <carlton.gibson@noumenal.es> Date: Thu, 23 May 2019 12:06:34 +0200 Subject: [PATCH] Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before rendering clickable link. --- .../admin/templates/admin/widgets/url.html | 2 +- django/contrib/admin/widgets.py | 10 +++++++- docs/releases/1.11.21.txt | 16 ++++++++++++- docs/releases/2.1.9.txt | 14 +++++++++++ docs/releases/2.2.2.txt | 14 +++++++++++ tests/admin_widgets/tests.py | 23 ++++++++++++------- 6 files changed, 68 insertions(+), 11 deletions(-) Index: Django-2.0.7/django/contrib/admin/templates/admin/widgets/url.html =================================================================== --- Django-2.0.7.orig/django/contrib/admin/templates/admin/widgets/url.html +++ Django-2.0.7/django/contrib/admin/templates/admin/widgets/url.html @@ -1 +1 @@ -{% if widget.value %}<p class="url">{{ current_label }} <a href="{{ widget.href }}">{{ widget.value }}</a><br />{{ change_label }} {% endif %}{% include "django/forms/widgets/input.html" %}{% if widget.value %}</p>{% endif %} +{% if url_valid %}<p class="url">{{ current_label }} <a href="{{ widget.href }}">{{ widget.value }}</a><br />{{ change_label }} {% endif %}{% include "django/forms/widgets/input.html" %}{% if url_valid %}</p>{% endif %} Index: Django-2.0.7/django/contrib/admin/widgets.py =================================================================== --- Django-2.0.7.orig/django/contrib/admin/widgets.py +++ Django-2.0.7/django/contrib/admin/widgets.py @@ -7,6 +7,7 @@ import json from django import forms from django.conf import settings from django.core.exceptions import ValidationError +from django.core.validators import URLValidator from django.db.models.deletion import CASCADE from django.urls import reverse from django.urls.exceptions import NoReverseMatch @@ -354,17 +355,24 @@ class AdminEmailInputWidget(forms.EmailI class AdminURLFieldWidget(forms.URLInput): template_name = 'admin/widgets/url.html' - def __init__(self, attrs=None): + def __init__(self, attrs=None, validator_class=URLValidator): final_attrs = {'class': 'vURLField'} if attrs is not None: final_attrs.update(attrs) super().__init__(attrs=final_attrs) + self.validator = validator_class() def get_context(self, name, value, attrs): + try: + self.validator(value if value else '') + url_valid = True + except ValidationError: + url_valid = False context = super().get_context(name, value, attrs) context['current_label'] = _('Currently:') context['change_label'] = _('Change:') context['widget']['href'] = smart_urlquote(context['widget']['value']) if value else '' + context['url_valid'] = url_valid return context Index: Django-2.0.7/tests/admin_widgets/tests.py =================================================================== --- Django-2.0.7.orig/tests/admin_widgets/tests.py +++ Django-2.0.7/tests/admin_widgets/tests.py @@ -333,6 +333,13 @@ class AdminSplitDateTimeWidgetTest(Simpl class AdminURLWidgetTest(SimpleTestCase): + def test_get_context_validates_url(self): + w = widgets.AdminURLFieldWidget() + for invalid in ['', '/not/a/full/url/', 'javascript:alert("Danger XSS!")']: + with self.subTest(url=invalid): + self.assertFalse(w.get_context('name', invalid, {})['url_valid']) + self.assertTrue(w.get_context('name', 'http://example.com', {})['url_valid']) + def test_render(self): w = widgets.AdminURLFieldWidget() self.assertHTMLEqual( @@ -366,31 +373,31 @@ class AdminURLWidgetTest(SimpleTestCase) VALUE_RE = re.compile('value="([^"]+)"') TEXT_RE = re.compile('<a[^>]+>([^>]+)</a>') w = widgets.AdminURLFieldWidget() - output = w.render('test', 'http://example.com/<sometag>some text</sometag>') + output = w.render('test', 'http://example.com/<sometag>some-text</sometag>') self.assertEqual( HREF_RE.search(output).groups()[0], - 'http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E', + 'http://example.com/%3Csometag%3Esome-text%3C/sometag%3E', ) self.assertEqual( TEXT_RE.search(output).groups()[0], - 'http://example.com/<sometag>some text</sometag>', + 'http://example.com/<sometag>some-text</sometag>', ) self.assertEqual( VALUE_RE.search(output).groups()[0], - 'http://example.com/<sometag>some text</sometag>', + 'http://example.com/<sometag>some-text</sometag>', ) - output = w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>') + output = w.render('test', 'http://example-äüö.com/<sometag>some-text</sometag>') self.assertEqual( HREF_RE.search(output).groups()[0], - 'http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E', + 'http://xn--example--7za4pnc.com/%3Csometag%3Esome-text%3C/sometag%3E', ) self.assertEqual( TEXT_RE.search(output).groups()[0], - 'http://example-äüö.com/<sometag>some text</sometag>', + 'http://example-äüö.com/<sometag>some-text</sometag>', ) self.assertEqual( VALUE_RE.search(output).groups()[0], - 'http://example-äüö.com/<sometag>some text</sometag>', + 'http://example-äüö.com/<sometag>some-text</sometag>', ) output = w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"') self.assertEqual(
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor