[1.8.x] Fixed XSS in admin's add/change related popup.

timgraham · timgraham · commit f68e5a991648 · 2016-07-18T13:45:11.000-04:00
This is a security fix.
diff --git a/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js b/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js
@@ -105,7 +105,7 @@ function dismissChangeRelatedObjectPopup(win, objId, newRepr, newId) {
     var selects = django.jQuery(selectsSelector);
     selects.find('option').each(function() {
         if (this.value == objId) {
-            this.innerHTML = newRepr;
+            this.textContent = newRepr;
             this.value = newId;
         }
     });
diff --git a/django/views/debug.py b/django/views/debug.py
@@ -704,13 +704,13 @@ def default_urlconf(request):
       var s = link.getElementsByTagName('span')[0];
       var uarr = String.fromCharCode(0x25b6);
       var darr = String.fromCharCode(0x25bc);
-      s.innerHTML = s.innerHTML == uarr ? darr : uarr;
+      s.textContent = s.textContent == uarr ? darr : uarr;
       return false;
     }
     function switchPastebinFriendly(link) {
       s1 = "Switch to copy-and-paste view";
       s2 = "Switch back to interactive view";
-      link.innerHTML = link.innerHTML.trim() == s1 ? s2: s1;
+      link.textContent = link.textContent.trim() == s1 ? s2: s1;
       toggle('browserTraceback', 'pastebinTraceback');
       return false;
     }
diff --git a/docs/releases/1.8.14.txt b/docs/releases/1.8.14.txt
@@ -2,9 +2,20 @@
 Django 1.8.14 release notes
 ===========================
 
-*Under development*
+*July 18, 2016*
 
-Django 1.8.14 fixes several bugs in 1.8.13.
+Django 1.8.14 fixes a security issue and a bug in 1.8.13.
+
+XSS in admin's add/change related popup
+=======================================
+
+Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
+admin's add/change related popup. ``Element.textContent`` is now used to
+prevent execution of the data.
+
+The debug view also used ``innerHTML``. Although a security issue wasn't
+identified there, out of an abundance of caution it's also updated to use
+``textContent``.
 
 Bugfixes
 ========
diff --git a/tests/admin_views/admin.py b/tests/admin_views/admin.py
@@ -88,7 +88,8 @@ class ChapterXtra1Admin(admin.ModelAdmin):
 
 class ArticleAdmin(admin.ModelAdmin):
     list_display = ('content', 'date', callable_year, 'model_year',
-                    'modeladmin_year', 'model_year_reversed')
+                    'modeladmin_year', 'model_year_reversed', 'section')
+    list_editable = ('section',)
     list_filter = ('date', 'section')
     view_on_site = False
     fieldsets = (
diff --git a/tests/admin_views/models.py b/tests/admin_views/models.py
@@ -16,13 +16,17 @@
 from django.utils.encoding import python_2_unicode_compatible
 
 
+@python_2_unicode_compatible
 class Section(models.Model):
     """
     A simple section that links to articles, to test linking to related items
     in admin views.
     """
     name = models.CharField(max_length=100)
 
+    def __str__(self):
+        return self.name
+
     @property
     def name_property(self):
         """
diff --git a/tests/admin_views/tests.py b/tests/admin_views/tests.py
@@ -4056,6 +4056,44 @@ def test_cancel_delete_related_confirmation(self):
         self.assertEqual(Pizza.objects.count(), 1)
         self.assertEqual(Topping.objects.count(), 2)
 
+    def test_list_editable_popups(self):
+        """
+        list_editable foreign keys have add/change popups.
+        """
+        from selenium.webdriver.support.ui import Select
+        s1 = Section.objects.create(name='Test section')
+        Article.objects.create(
+            title='foo',
+            content='<p>Middle content</p>',
+            date=datetime.datetime(2008, 3, 18, 11, 54, 58),
+            section=s1,
+        )
+        self.admin_login(username='super', password='secret', login_url=reverse('admin:index'))
+        self.selenium.get(self.live_server_url + reverse('admin:admin_views_article_changelist'))
+        # Change popup
+        self.selenium.find_element_by_id('change_id_form-0-section').click()
+        self.wait_for_popup()
+        self.selenium.switch_to.window(self.selenium.window_handles[-1])
+        self.wait_for_text('#content h1', 'Change section')
+        name_input = self.selenium.find_element_by_id('id_name')
+        name_input.clear()
+        name_input.send_keys('<i>edited section</i>')
+        self.selenium.find_element_by_xpath('//input[@value="Save"]').click()
+        self.selenium.switch_to.window(self.selenium.window_handles[0])
+        select = Select(self.selenium.find_element_by_id('id_form-0-section'))
+        self.assertEqual(select.first_selected_option.text, '<i>edited section</i>')
+
+        # Add popup
+        self.selenium.find_element_by_id('add_id_form-0-section').click()
+        self.wait_for_popup()
+        self.selenium.switch_to.window(self.selenium.window_handles[-1])
+        self.wait_for_text('#content h1', 'Add section')
+        self.selenium.find_element_by_id('id_name').send_keys('new section')
+        self.selenium.find_element_by_xpath('//input[@value="Save"]').click()
+        self.selenium.switch_to.window(self.selenium.window_handles[0])
+        select = Select(self.selenium.find_element_by_id('id_form-0-section'))
+        self.assertEqual(select.first_selected_option.text, 'new section')
+
     def test_list_editable_raw_id_fields(self):
         parent = ParentWithUUIDPK.objects.create(title='test')
         parent2 = ParentWithUUIDPK.objects.create(title='test2')

Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ function dismissChangeRelatedObjectPopup(win, objId, newRepr, newId) {`
`105`	`105`	`var selects = django.jQuery(selectsSelector);`
`106`	`106`	`selects.find('option').each(function() {`
`107`	`107`	`if (this.value == objId) {`
`108`		`- this.innerHTML = newRepr;`
	`108`	`+ this.textContent = newRepr;`
`109`	`109`	`this.value = newId;`
`110`	`110`	`}`
`111`	`111`	`});`