Bug 676359 (CVE-2011-0697) - CVE-2011-0697 Django Potential XSS in file field rendering
Summary: CVE-2011-0697 Django Potential XSS in file field rendering
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-0697
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 676360
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-09 16:08 UTC by Josh Bressers
Modified: 2019-09-29 12:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-03-17 11:21:40 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 676459 None None None Never

Internal Links: 676459

Description Josh Bressers 2011-02-09 16:08:18 UTC
http://www.djangoproject.com/weblog/2011/feb/08/security/

Django's form system includes form fields and widgets for performing file
uploads; in rendering these fields, the name of the file currently stored
in the field is displayed. In the process of rendering, the filename is
displayed without being escaped, as reported by Trac user "e.generalov".

In many cases this does not result in a cross-site-scripting vulnerability,
as file-storage backends can and are encouraged to (and the default
backends provided with Django do) sanitize the supplied filename according
to their requirements. However, the risk of a vulnerability appearing in a
backend which does not sanitize, or which performs insufficient
sanitization, is such that Django will now automatically escape filenames
in form rendering.

Comment 1 Josh Bressers 2011-02-09 16:09:35 UTC
Created Django tracking bugs for this issue

Affects: fedora-all [bug 676360]

Comment 2 Michel Alexandre Salim 2011-03-17 11:21:40 UTC
All our branches now have either 1.2.5 or 1.1.4 as stable releases -- it appears that they were pushed without tagging the affected bugs.


Note You need to log in before you can comment on or make changes to this bug.