Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#15182 closed (fixed)

ClearableFileInput widget doesn't encode values when render HTML

Reported by: e.generalov Owned by: nobody
Component: Forms Version: master
Severity: Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Given I have a model with FileField, admin interface and browser with JavaScript enabled.
When I upload a file with name "something<div onclick="alert('oops')">.jpg"
then I see model change form with link like to "something.jpg".
And when I click to the "jpg" then I see "oops" alert.

There is a bug in the ClearableFileInput render method. It doesn't encodes FileField properties (name and url) when writes HTML.
It could be dangerous for sites where users can to upload files and administrators manages them with admin interface.

Attachments (2)

clearablefieldwidget-encode-to-html.patch (2.3 KB) - added by e.generalov 6 years ago.
15182_v2.diff (1.9 KB) - added by Gabriel Hurley 6 years ago.

Download all attachments as: .zip

Change History (5)

Changed 6 years ago by e.generalov

comment:1 Changed 6 years ago by anonymous

Has patch: set

Changed 6 years ago by Gabriel Hurley

Attachment: 15182_v2.diff added

comment:2 Changed 6 years ago by Carl Meyer

Resolution: fixed
Status: newclosed

In [15470]:

Fixed #15182 - Fixed a security issue with ClearableFileInput. Disclosure and new release forthcoming.

comment:3 Changed 6 years ago by Carl Meyer

e.generalov: Thanks for this report and fix. In future please report security issues privately to security@djangoproject.com.

Note: See TracTickets for help on using tickets.
Back to Top