From: Chris Lamb Date: Fri, 3 Aug 2018 11:48:27 +0800 Subject: CVE-2017-12794 Fix a cross-site scripting attack in the technical HTTP 500 page. This vulnerability did not affect production sites as they typically do not run with "DEBUG = True". --- django/views/debug.py | 20 +++++++++----------- tests/view_tests/tests/py3_test_debug.py | 13 +++++++------ 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/django/views/debug.py b/django/views/debug.py index 0ed55fd..327ff43 100644 --- a/django/views/debug.py +++ b/django/views/debug.py @@ -775,38 +775,37 @@ TECHNICAL_500_TEMPLATE = ("""

Traceback {% if not is_email %} Switch to copy-and-paste view{% endif %}

- {% autoescape off %}
- {% endautoescape %}
{% if not is_email %}
@@ -888,9 +886,9 @@ In template {{ template_info.name }}, error at line {{ template_info.line }} Traceback:{% for frame in frames %} {% ifchanged frame.exc_cause %}{% if frame.exc_cause %}{% if frame.exc_cause_explicit %} -The above exception ({{ frame.exc_cause }}) was the direct cause of the following exception: +The above exception ({{ frame.exc_cause|force_escape }}) was the direct cause of the following exception: {% else %} -During handling of the above exception ({{ frame.exc_cause }}), another exception occurred: +During handling of the above exception ({{ frame.exc_cause|force_escape }}), another exception occurred: {% endif %}{% endif %}{% endifchanged %} File "{{ frame.filename|escape }}" in {{ frame.function|escape }} {% if frame.context_line %} {{ frame.lineno }}. {{ frame.context_line|escape }}{% endif %}{% endfor %} diff --git a/tests/view_tests/tests/py3_test_debug.py b/tests/view_tests/tests/py3_test_debug.py index 30201ba..316179a 100644 --- a/tests/view_tests/tests/py3_test_debug.py +++ b/tests/view_tests/tests/py3_test_debug.py @@ -9,6 +9,7 @@ error (raise ... from ...) can't be silenced using NOQA. import sys from django.test import RequestFactory, TestCase +from django.utils.safestring import mark_safe from django.views.debug import ExceptionReporter @@ -20,10 +21,10 @@ class Py3ExceptionReporterTests(TestCase): request = self.rf.get('/test_view/') try: try: - raise AttributeError('Top level') + raise AttributeError(mark_safe('

Top level

')) except AttributeError as explicit: try: - raise ValueError('Second exception') from explicit + raise ValueError('

Second exception

') from explicit except ValueError: raise IndexError('Final exception') except Exception: @@ -37,9 +38,9 @@ class Py3ExceptionReporterTests(TestCase): html = reporter.get_traceback_html() # Both messages are twice on page -- one rendered as html, # one as plain text (for pastebin) - self.assertEqual(2, html.count(explicit_exc.format("Top level"))) - self.assertEqual(2, html.count(implicit_exc.format("Second exception"))) + self.assertEqual(2, html.count(explicit_exc.format('<p>Top level</p>'))) + self.assertEqual(2, html.count(implicit_exc.format('<p>Second exception</p>'))) text = reporter.get_traceback_text() - self.assertIn(explicit_exc.format("Top level"), text) - self.assertIn(implicit_exc.format("Second exception"), text) + self.assertIn(explicit_exc.format('

Top level

'), text) + self.assertIn(implicit_exc.format('

Second exception

'), text)