Fixed CVE-2019-12308 -- Made AdminURLFieldWidget validate URL before rendering clickable link.

author: Carlton Gibson <carlton.gibson@noumenal.es> 2019-05-23 12:06:34 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2019-06-03 11:36:12 +0200
commit: deeba6d92006999fee9adfbd8be79bf0a59e8008 (patch)
tree: c77fd6fb553aa154ffe78d9cf748bdef6d80e6e1 /tests/admin_widgets
parent: 98c0fe19ee2cba9726708ac9336e1dc0d43cca69 (diff)
download: django-deeba6d92006999fee9adfbd8be79bf0a59e8008.tar.gz
1 files changed, 15 insertions, 8 deletions
diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py
index a7335f8f69..18475658c9 100644
--- a/tests/admin_widgets/tests.py
+++ b/tests/admin_widgets/tests.py
@@ -333,6 +333,13 @@ class AdminSplitDateTimeWidgetTest(SimpleTestCase):
 
 
 class AdminURLWidgetTest(SimpleTestCase):
+    def test_get_context_validates_url(self):
+        w = widgets.AdminURLFieldWidget()
+        for invalid in ['', '/not/a/full/url/', 'javascript:alert("Danger XSS!")']:
+            with self.subTest(url=invalid):
+                self.assertFalse(w.get_context('name', invalid, {})['url_valid'])
+        self.assertTrue(w.get_context('name', 'http://example.com', {})['url_valid'])
+
     def test_render(self):
         w = widgets.AdminURLFieldWidget()
         self.assertHTMLEqual(
@@ -366,31 +373,31 @@ class AdminURLWidgetTest(SimpleTestCase):
         VALUE_RE = re.compile('value="([^"]+)"')
         TEXT_RE = re.compile('<a[^>]+>([^>]+)</a>')
         w = widgets.AdminURLFieldWidget()
-        output = w.render('test', 'http://example.com/<sometag>some text</sometag>')
+        output = w.render('test', 'http://example.com/<sometag>some-text</sometag>')
         self.assertEqual(
             HREF_RE.search(output).groups()[0],
-            'http://example.com/%3Csometag%3Esome%20text%3C/sometag%3E',
+            'http://example.com/%3Csometag%3Esome-text%3C/sometag%3E',
         )
         self.assertEqual(
             TEXT_RE.search(output).groups()[0],
-            'http://example.com/&lt;sometag&gt;some text&lt;/sometag&gt;',
+            'http://example.com/&lt;sometag&gt;some-text&lt;/sometag&gt;',
         )
         self.assertEqual(
             VALUE_RE.search(output).groups()[0],
-            'http://example.com/&lt;sometag&gt;some text&lt;/sometag&gt;',
+            'http://example.com/&lt;sometag&gt;some-text&lt;/sometag&gt;',
         )
-        output = w.render('test', 'http://example-äüö.com/<sometag>some text</sometag>')
+        output = w.render('test', 'http://example-äüö.com/<sometag>some-text</sometag>')
         self.assertEqual(
             HREF_RE.search(output).groups()[0],
-            'http://xn--example--7za4pnc.com/%3Csometag%3Esome%20text%3C/sometag%3E',
+            'http://xn--example--7za4pnc.com/%3Csometag%3Esome-text%3C/sometag%3E',
         )
         self.assertEqual(
             TEXT_RE.search(output).groups()[0],
-            'http://example-äüö.com/&lt;sometag&gt;some text&lt;/sometag&gt;',
+            'http://example-äüö.com/&lt;sometag&gt;some-text&lt;/sometag&gt;',
         )
         self.assertEqual(
             VALUE_RE.search(output).groups()[0],
-            'http://example-äüö.com/&lt;sometag&gt;some text&lt;/sometag&gt;',
+            'http://example-äüö.com/&lt;sometag&gt;some-text&lt;/sometag&gt;',
         )
         output = w.render('test', 'http://www.example.com/%C3%A4"><script>alert("XSS!")</script>"')
         self.assertEqual(
author	Carlton Gibson <carlton.gibson@noumenal.es>	2019-05-23 12:06:34 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2019-06-03 11:36:12 +0200
commit	deeba6d92006999fee9adfbd8be79bf0a59e8008 (patch)
tree	c77fd6fb553aa154ffe78d9cf748bdef6d80e6e1 /tests/admin_widgets
parent	98c0fe19ee2cba9726708ac9336e1dc0d43cca69 (diff)
download	django-deeba6d92006999fee9adfbd8be79bf0a59e8008.tar.gz