Django 2.1.9 版本发行说明
2019 年 6 月 3 日
Django 2.1.9 fixes security issues in 2.1.8.
CVE-2019-12308: AdminURLFieldWidget XSS
The clickable “Current URL” link generated by AdminURLFieldWidget
displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
AdminURLFieldWidget
now validates the provided value using URLValidator before displaying the clickable link. You may customize the validator by passing a validator_class
kwarg to AdminURLFieldWidget.__init__()
, e.g. when using formfield_overrides.
Patched bundled jQuery for CVE-2019-11358: Prototype pollution
jQuery before 3.4.0, mishandles jQuery.extend(true, {}, ...)
because of Object.prototype
pollution. If an unsanitized source object contained an enumerable __proto__
property, it could extend the native Object.prototype
.
The bundled version of jQuery used by the Django admin has been patched to allow for the select2
library’s use of jQuery.extend()
.