1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
From: Chris Lamb <lamby@debian.org>
Date: Tue, 9 Jun 2020 15:55:54 +0100
Subject: CVE-2020-13596
---
django/contrib/admin/widgets.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
index 209e028..1a96fa7 100644
--- a/django/contrib/admin/widgets.py
+++ b/django/contrib/admin/widgets.py
@@ -14,6 +14,7 @@ from django.urls.exceptions import NoReverseMatch
from django.utils import six
from django.utils.encoding import force_text
from django.utils.html import smart_urlquote
+from django.utils.http import urlencode
from django.utils.safestring import mark_safe
from django.utils.text import Truncator
from django.utils.translation import ugettext as _
@@ -149,7 +150,7 @@ class ForeignKeyRawIdWidget(forms.TextInput):
params = self.url_parameters()
if params:
- related_url += '?' + '&'.join('%s=%s' % (k, v) for k, v in params.items())
+ related_url += '?' + urlencode(params)
context['related_url'] = mark_safe(related_url)
context['link_title'] = _('Lookup')
# The JavaScript code looks for this class.
|
