Skip to content

Commit 1966786

Browse files
carljmcarljm
committed
[1.1.X] Fixed security issue in AdminFileWidget. Release and disclosure forthcoming.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15472 bcc190cf-cafb-0310-a4f2-bffc1f526a37
1 parent 570a32a commit 1966786

File tree

2 files changed

+17
-1
lines changed

2 files changed

+17
-1
lines changed

django/contrib/admin/widgets.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ def render(self, name, value, attrs=None):
9393
output = []
9494
if value and hasattr(value, "url"):
9595
output.append('%s <a target="_blank" href="%s">%s</a> <br />%s ' % \
96-
(_('Currently:'), value.url, value, _('Change:')))
96+
(_('Currently:'), escape(value.url), escape(value), _('Change:')))
9797
output.append(super(AdminFileWidget, self).render(name, value, attrs))
9898
return mark_safe(u''.join(output))
9999

tests/regressiontests/admin_widgets/tests.py

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -154,3 +154,19 @@ def test_nonexistent_target_id(self):
154154
post_data)
155155
self.assertContains(response,
156156
'Select a valid choice. That choice is not one of the available choices.')
157+
158+
class AdminFileWidgetTest(DjangoTestCase):
159+
def test_render_escapes_html(self):
160+
class StrangeFieldFile(object):
161+
url = "something?chapter=1&sect=2&copy=3&lang=en"
162+
163+
def __unicode__(self):
164+
return u'''something<div onclick="alert('oops')">.jpg'''
165+
166+
widget = widgets.AdminFileWidget()
167+
field = StrangeFieldFile()
168+
output = widget.render('myfile', field)
169+
self.assertFalse(field.url in output)
170+
self.assertTrue(u'href="something?chapter=1&amp;sect=2&amp;copy=3&amp;lang=en"' in output)
171+
self.assertFalse(unicode(field) in output)
172+
self.assertTrue(u'something&lt;div onclick=&quot;alert(&#39;oops&#39;)&quot;&gt;.jpg' in output)

0 commit comments

Comments
 (0)