[1.11.x] Fixed CVE-2017-12794 -- Fixed XSS possibility in traceback section of technical 500 debug page.

timgraham · timgraham · commit e35a0c560869 · 2017-09-05T11:05:43.000-04:00
This is a security fix.
diff --git a/django/views/debug.py b/django/views/debug.py
@@ -774,38 +774,37 @@ def default_urlconf(request):
   <h2>Traceback <span class="commands">{% if not is_email %}<a href="#" onclick="return switchPastebinFriendly(this);">
     Switch to copy-and-paste view</a></span>{% endif %}
   </h2>
-  {% autoescape off %}
   <div id="browserTraceback">
     <ul class="traceback">
       {% for frame in frames %}
         {% ifchanged frame.exc_cause %}{% if frame.exc_cause %}
           <li><h3>
           {% if frame.exc_cause_explicit %}
-            The above exception ({{ frame.exc_cause }}) was the direct cause of the following exception:
+            The above exception ({{ frame.exc_cause|force_escape }}) was the direct cause of the following exception:
           {% else %}
-            During handling of the above exception ({{ frame.exc_cause }}), another exception occurred:
+            During handling of the above exception ({{ frame.exc_cause|force_escape }}), another exception occurred:
           {% endif %}
         </h3></li>
         {% endif %}{% endifchanged %}
         <li class="frame {{ frame.type }}">
-          <code>{{ frame.filename|escape }}</code> in <code>{{ frame.function|escape }}</code>
+          <code>{{ frame.filename }}</code> in <code>{{ frame.function }}</code>
 
           {% if frame.context_line %}
             <div class="context" id="c{{ frame.id }}">
               {% if frame.pre_context and not is_email %}
                 <ol start="{{ frame.pre_context_lineno }}" class="pre-context" id="pre{{ frame.id }}">
                 {% for line in frame.pre_context %}
-                  <li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')"><pre>{{ line|escape }}</pre></li>
+                  <li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')"><pre>{{ line }}</pre></li>
                 {% endfor %}
                 </ol>
               {% endif %}
               <ol start="{{ frame.lineno }}" class="context-line">
                 <li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')"><pre>
-"""            """{{ frame.context_line|escape }}</pre>{% if not is_email %} <span>...</span>{% endif %}</li></ol>
+"""            """{{ frame.context_line }}</pre>{% if not is_email %} <span>...</span>{% endif %}</li></ol>
               {% if frame.post_context and not is_email  %}
                 <ol start='{{ frame.lineno|add:"1" }}' class="post-context" id="post{{ frame.id }}">
                   {% for line in frame.post_context %}
-                  <li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')"><pre>{{ line|escape }}</pre></li>
+                  <li onclick="toggle('pre{{ frame.id }}', 'post{{ frame.id }}')"><pre>{{ line }}</pre></li>
                   {% endfor %}
               </ol>
               {% endif %}
@@ -830,7 +829,7 @@ def default_urlconf(request):
               <tbody>
                 {% for var in frame.vars|dictsort:0 %}
                   <tr>
-                    <td>{{ var.0|force_escape }}</td>
+                    <td>{{ var.0 }}</td>
                     <td class="code"><pre>{{ var.1 }}</pre></td>
                   </tr>
                 {% endfor %}
@@ -841,7 +840,6 @@ def default_urlconf(request):
       {% endfor %}
     </ul>
   </div>
-  {% endautoescape %}
   <form action="http://dpaste.com/" name="pasteform" id="pasteform" method="post">
 {% if not is_email %}
   <div id="pastebinTraceback" class="pastebin">
@@ -887,9 +885,9 @@ def default_urlconf(request):
 
 Traceback:{% for frame in frames %}
 {% ifchanged frame.exc_cause %}{% if frame.exc_cause %}{% if frame.exc_cause_explicit %}
-The above exception ({{ frame.exc_cause }}) was the direct cause of the following exception:
+The above exception ({{ frame.exc_cause|force_escape }}) was the direct cause of the following exception:
 {% else %}
-During handling of the above exception ({{ frame.exc_cause }}), another exception occurred:
+During handling of the above exception ({{ frame.exc_cause|force_escape }}), another exception occurred:
 {% endif %}{% endif %}{% endifchanged %}
 File "{{ frame.filename|escape }}" in {{ frame.function|escape }}
 {% if frame.context_line %}  {{ frame.lineno }}. {{ frame.context_line|escape }}{% endif %}{% endfor %}
diff --git a/docs/releases/1.10.8.txt b/docs/releases/1.10.8.txt
@@ -5,3 +5,12 @@ Django 1.10.8 release notes
 *September 5, 2017*
 
 Django 1.10.8 fixes a security issue in 1.10.7.
+
+CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page
+=============================================================================
+
+In older versions, HTML autoescaping was disabled in a portion of the template
+for the technical 500 debug page. Given the right circumstances, this allowed
+a cross-site scripting attack. This vulnerability shouldn't affect most
+production sites since you shouldn't run with ``DEBUG = True`` (which makes
+this page accessible) in your production settings.
diff --git a/docs/releases/1.11.5.txt b/docs/releases/1.11.5.txt
@@ -6,6 +6,15 @@ Django 1.11.5 release notes
 
 Django 1.11.5 fixes a security issue and several bugs in 1.11.4.
 
+CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page
+=============================================================================
+
+In older versions, HTML autoescaping was disabled in a portion of the template
+for the technical 500 debug page. Given the right circumstances, this allowed
+a cross-site scripting attack. This vulnerability shouldn't affect most
+production sites since you shouldn't run with ``DEBUG = True`` (which makes
+this page accessible) in your production settings.
+
 Bugfixes
 ========
 
diff --git a/tests/view_tests/tests/py3_test_debug.py b/tests/view_tests/tests/py3_test_debug.py
@@ -9,6 +9,7 @@
 import sys
 
 from django.test import RequestFactory, TestCase
+from django.utils.safestring import mark_safe
 from django.views.debug import ExceptionReporter
 
 
@@ -20,10 +21,10 @@ def test_reporting_of_nested_exceptions(self):
         request = self.rf.get('/test_view/')
         try:
             try:
-                raise AttributeError('Top level')
+                raise AttributeError(mark_safe('<p>Top level</p>'))
             except AttributeError as explicit:
                 try:
-                    raise ValueError('Second exception') from explicit
+                    raise ValueError('<p>Second exception</p>') from explicit
                 except ValueError:
                     raise IndexError('Final exception')
         except Exception:
@@ -37,9 +38,9 @@ def test_reporting_of_nested_exceptions(self):
         html = reporter.get_traceback_html()
         # Both messages are twice on page -- one rendered as html,
         # one as plain text (for pastebin)
-        self.assertEqual(2, html.count(explicit_exc.format("Top level")))
-        self.assertEqual(2, html.count(implicit_exc.format("Second exception")))
+        self.assertEqual(2, html.count(explicit_exc.format('&lt;p&gt;Top level&lt;/p&gt;')))
+        self.assertEqual(2, html.count(implicit_exc.format('&lt;p&gt;Second exception&lt;/p&gt;')))
 
         text = reporter.get_traceback_text()
-        self.assertIn(explicit_exc.format("Top level"), text)
-        self.assertIn(implicit_exc.format("Second exception"), text)
+        self.assertIn(explicit_exc.format('<p>Top level</p>'), text)
+        self.assertIn(implicit_exc.format('<p>Second exception</p>'), text)
