Skip to content

Commit c238701

Browse files
carltongibsoncarltongibson
committed
[1.11.x] Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before rendering clickable link.
Backport of deeba6d from master.
1 parent 4b3716e commit c238701

File tree

4 files changed

+39
-11
lines changed

4 files changed

+39
-11
lines changed

django/contrib/admin/templates/admin/widgets/url.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
{% if widget.value %}<p class="url">{{ current_label }} <a href="{{ widget.href }}">{{ widget.value }}</a><br />{{ change_label }} {% endif %}{% include "django/forms/widgets/input.html" %}{% if widget.value %}</p>{% endif %}
1+
{% if url_valid %}<p class="url">{{ current_label }} <a href="{{ widget.href }}">{{ widget.value }}</a><br />{{ change_label }} {% endif %}{% include "django/forms/widgets/input.html" %}{% if url_valid %}</p>{% endif %}

django/contrib/admin/widgets.py

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77

88
from django import forms
99
from django.core.exceptions import ValidationError
10+
from django.core.validators import URLValidator
1011
from django.db.models.deletion import CASCADE
1112
from django.urls import reverse
1213
from django.urls.exceptions import NoReverseMatch
@@ -339,17 +340,24 @@ def __init__(self, attrs=None):
339340
class AdminURLFieldWidget(forms.URLInput):
340341
template_name = 'admin/widgets/url.html'
341342

342-
def __init__(self, attrs=None):
343+
def __init__(self, attrs=None, validator_class=URLValidator):
343344
final_attrs = {'class': 'vURLField'}
344345
if attrs is not None:
345346
final_attrs.update(attrs)
346347
super(AdminURLFieldWidget, self).__init__(attrs=final_attrs)
348+
self.validator = validator_class()
347349

348350
def get_context(self, name, value, attrs):
351+
try:
352+
self.validator(value if value else '')
353+
url_valid = True
354+
except ValidationError:
355+
url_valid = False
349356
context = super(AdminURLFieldWidget, self).get_context(name, value, attrs)
350357
context['current_label'] = _('Currently:')
351358
context['change_label'] = _('Change:')
352359
context['widget']['href'] = smart_urlquote(context['widget']['value']) if value else ''
360+
context['url_valid'] = url_valid
353361
return context
354362

355363

docs/releases/1.11.21.txt

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,4 +4,18 @@ Django 1.11.21 release notes
44

55
*June 3, 2019*
66

7-
Django 1.11.21 fixes security issues in 1.11.20.
7+
Django 1.11.21 fixes a security issue in 1.11.20.
8+
9+
CVE-2019-12308: AdminURLFieldWidget XSS
10+
---------------------------------------
11+
12+
The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
13+
the provided value without validating it as a safe URL. Thus, an unvalidated
14+
value stored in the database, or a value provided as a URL query parameter
15+
payload, could result in an clickable JavaScript link.
16+
17+
``AdminURLFieldWidget`` now validates the provided value using
18+
:class:`~django.core.validators.URLValidator` before displaying the clickable
19+
link. You may customise the validator by passing a ``validator_class`` kwarg to
20+
``AdminURLFieldWidget.__init__()``, e.g. when using
21+
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.

tests/admin_widgets/tests.py

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -336,6 +336,12 @@ def test_localization(self):
336336

337337

338338
class AdminURLWidgetTest(SimpleTestCase):
339+
def test_get_context_validates_url(self):
340+
w = widgets.AdminURLFieldWidget()
341+
for invalid in ['', '/not/a/full/url/', 'javascript:alert("Danger XSS!")']:
342+
self.assertFalse(w.get_context('name', invalid, {})['url_valid'])
343+
self.assertTrue(w.get_context('name', 'http://example.com', {})['url_valid'])
344+
339345
def test_render(self):
340346
w = widgets.AdminURLFieldWidget()
341347
self.assertHTMLEqual(
@@ -369,31 +375,31 @@ def test_render_quoting(self):
369375
VALUE_RE = re.compile('value="([^"]+)"')
370376
TEXT_RE = re.compile('<a[^>]+>([^>]+)</a>')
371377
w = widgets.AdminURLFieldWidget()
372-
output = w.render('test', 'http://example.com/<sometag>some text</sometag>')
378+
output = w.render('test', 'http://example.com/<sometag>some-text</sometag>')
373379
self.assertEqual(
374380
HREF_RE.search(output).groups()[0],
375-
'http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E',
381+
'http://example.com/%3Csometag%3Esome-text%3C/sometag%3E',
376382
)
377383
self.assertEqual(
378384
TEXT_RE.search(output).groups()[0],
379-
'http://example.com/&lt;sometag&gt;some text&lt;/sometag&gt;',
385+
'http://example.com/&lt;sometag&gt;some-text&lt;/sometag&gt;',
380386
)
381387
self.assertEqual(
382388
VALUE_RE.search(output).groups()[0],
383-
'http://example.com/&lt;sometag&gt;some text&lt;/sometag&gt;',
389+
'http://example.com/&lt;sometag&gt;some-text&lt;/sometag&gt;',
384390
)
385-
output = w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>')
391+
output = w.render('test', 'http://example-äüö.com/<sometag>some-text</sometag>')
386392
self.assertEqual(
387393
HREF_RE.search(output).groups()[0],
388-
'http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E',
394+
'http://xn--example--7za4pnc.com/%3Csometag%3Esome-text%3C/sometag%3E',
389395
)
390396
self.assertEqual(
391397
TEXT_RE.search(output).groups()[0],
392-
'http://example-äüö.com/&lt;sometag&gt;some text&lt;/sometag&gt;',
398+
'http://example-äüö.com/&lt;sometag&gt;some-text&lt;/sometag&gt;',
393399
)
394400
self.assertEqual(
395401
VALUE_RE.search(output).groups()[0],
396-
'http://example-äüö.com/&lt;sometag&gt;some text&lt;/sometag&gt;',
402+
'http://example-äüö.com/&lt;sometag&gt;some-text&lt;/sometag&gt;',
397403
)
398404
output = w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"')
399405
self.assertEqual(

0 commit comments

Comments
 (0)