diff --git a/django/views/debug.py b/django/views/debug.py index fca137fd07..35cff6338f 100644 --- a/django/views/debug.py +++ b/django/views/debug.py @@ -8,7 +8,7 @@ from pathlib import Path from django.conf import settings from django.http import HttpResponse, HttpResponseNotFound from django.template import Context, Engine, TemplateDoesNotExist -from django.template.defaultfilters import force_escape, pprint +from django.template.defaultfilters import pprint from django.urls import Resolver404, resolve from django.utils import timezone from django.utils.datastructures import MultiValueDict @@ -271,7 +271,7 @@ class ExceptionReporter: # Trim large blobs of data if len(v) > 4096: v = '%s... ' % (v[0:4096], len(v)) - frame_vars.append((k, force_escape(v))) + frame_vars.append((k, v)) frame['vars'] = frame_vars frames[i] = frame diff --git a/django/views/templates/technical_500.html b/django/views/templates/technical_500.html index 01534f80d9..25cf231ead 100644 --- a/django/views/templates/technical_500.html +++ b/django/views/templates/technical_500.html @@ -212,38 +212,37 @@

Traceback {% if not is_email %} Switch to copy-and-paste view{% endif %}

- {% autoescape off %}
- {% endautoescape %}
{% if not is_email %}
@@ -318,9 +316,9 @@ In template {{ template_info.name }}, error at line {{ template_info.line }} Traceback:{% for frame in frames %} {% ifchanged frame.exc_cause %}{% if frame.exc_cause %}{% if frame.exc_cause_explicit %} -The above exception ({{ frame.exc_cause }}) was the direct cause of the following exception: +The above exception ({{ frame.exc_cause|force_escape }}) was the direct cause of the following exception: {% else %} -During handling of the above exception ({{ frame.exc_cause }}), another exception occurred: +During handling of the above exception ({{ frame.exc_cause|force_escape }}), another exception occurred: {% endif %}{% endif %}{% endifchanged %} File "{{ frame.filename }}" in {{ frame.function }} {% if frame.context_line %} {{ frame.lineno }}. {{ frame.context_line }}{% endif %}{% endfor %} diff --git a/docs/releases/1.10.8.txt b/docs/releases/1.10.8.txt index 160e555fef..3785e6535a 100644 --- a/docs/releases/1.10.8.txt +++ b/docs/releases/1.10.8.txt @@ -5,3 +5,12 @@ Django 1.10.8 release notes *September 5, 2017* Django 1.10.8 fixes a security issue in 1.10.7. + +CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page +============================================================================= + +In older versions, HTML autoescaping was disabled in a portion of the template +for the technical 500 debug page. Given the right circumstances, this allowed +a cross-site scripting attack. This vulnerability shouldn't affect most +production sites since you shouldn't run with ``DEBUG = True`` (which makes +this page accessible) in your production settings. diff --git a/docs/releases/1.11.5.txt b/docs/releases/1.11.5.txt index c0af25fb43..dda3489b93 100644 --- a/docs/releases/1.11.5.txt +++ b/docs/releases/1.11.5.txt @@ -6,6 +6,15 @@ Django 1.11.5 release notes Django 1.11.5 fixes a security issue and several bugs in 1.11.4. +CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page +============================================================================= + +In older versions, HTML autoescaping was disabled in a portion of the template +for the technical 500 debug page. Given the right circumstances, this allowed +a cross-site scripting attack. This vulnerability shouldn't affect most +production sites since you shouldn't run with ``DEBUG = True`` (which makes +this page accessible) in your production settings. + Bugfixes ======== diff --git a/tests/view_tests/tests/test_debug.py b/tests/view_tests/tests/test_debug.py index 8de484d6a9..71c60210e4 100644 --- a/tests/view_tests/tests/test_debug.py +++ b/tests/view_tests/tests/test_debug.py @@ -349,10 +349,10 @@ class ExceptionReporterTests(SimpleTestCase): request = self.rf.get('/test_view/') try: try: - raise AttributeError('Top level') + raise AttributeError(mark_safe('

Top level

')) except AttributeError as explicit: try: - raise ValueError('Second exception') from explicit + raise ValueError(mark_safe('

Second exception

')) from explicit except ValueError: raise IndexError(mark_safe('

Final exception

')) except Exception: @@ -366,13 +366,13 @@ class ExceptionReporterTests(SimpleTestCase): html = reporter.get_traceback_html() # Both messages are twice on page -- one rendered as html, # one as plain text (for pastebin) - self.assertEqual(2, html.count(explicit_exc.format("Top level"))) - self.assertEqual(2, html.count(implicit_exc.format("Second exception"))) + self.assertEqual(2, html.count(explicit_exc.format('<p>Top level</p>'))) + self.assertEqual(2, html.count(implicit_exc.format('<p>Second exception</p>'))) self.assertEqual(10, html.count('<p>Final exception</p>')) text = reporter.get_traceback_text() - self.assertIn(explicit_exc.format("Top level"), text) - self.assertIn(implicit_exc.format("Second exception"), text) + self.assertIn(explicit_exc.format('

Top level

'), text) + self.assertIn(implicit_exc.format('

Second exception

'), text) self.assertEqual(3, text.count('

Final exception

')) def test_reporting_frames_without_source(self):