main/py-django/CVE-2016-6186.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

Description: CVE-2016-6186: Fixed XSS in admin's add/change related popup.
Origin: upstream, https://github.com/django/django/commit/8462b3fa9c0a59221a8b5583025c3a9fff637d85
Forwarded: not-needed
Author: Tim Graham <timograham@gmail.com>
Reviewed-by: Luke Faraone <lfaraone@debian.org>
Last-Update: 2016-07-16
Applied-Upstream: 1.8.14

---
 django/views/debug.py       |  4 ++--
 tests/admin_views/admin.py  |  3 ++-
 tests/admin_views/models.py |  4 ++++
 tests/admin_views/tests.py  | 38 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 46 insertions(+), 3 deletions(-)

--- a/django/views/debug.py
+++ b/django/views/debug.py
@@ -637,13 +637,13 @@
       var s = link.getElementsByTagName('span')[0];
       var uarr = String.fromCharCode(0x25b6);
       var darr = String.fromCharCode(0x25bc);
-      s.innerHTML = s.innerHTML == uarr ? darr : uarr;
+      s.textContent = s.textContent == uarr ? darr : uarr;
       return false;
     }
     function switchPastebinFriendly(link) {
       s1 = "Switch to copy-and-paste view";
       s2 = "Switch back to interactive view";
-      link.innerHTML = link.innerHTML == s1 ? s2: s1;
+      link.textContent = link.textContent.trim() == s1 ? s2: s1;
       toggle('browserTraceback', 'pastebinTraceback');
       return false;
     }
--- a/tests/admin_views/admin.py
+++ b/tests/admin_views/admin.py
@@ -83,7 +83,8 @@
 
 class ArticleAdmin(admin.ModelAdmin):
     list_display = ('content', 'date', callable_year, 'model_year',
-                    'modeladmin_year', 'model_year_reversed')
+                    'modeladmin_year', 'model_year_reversed', 'section')
+    list_editable = ('section',)
     list_filter = ('date', 'section')
     view_on_site = False
     fieldsets = (
--- a/tests/admin_views/models.py
+++ b/tests/admin_views/models.py
@@ -15,6 +15,7 @@
 from django.utils.encoding import python_2_unicode_compatible
 
 
+@python_2_unicode_compatible
 class Section(models.Model):
     """
     A simple section that links to articles, to test linking to related items
@@ -22,6 +23,9 @@
     """
     name = models.CharField(max_length=100)
 
+    def __str__(self):
+        return self.name
+
     @property
     def name_property(self):
         """