mirror
/
wagtail
kopia lustrzana https://github.com/wagtail/wagtail
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Release note for 2.7.4

pull/6246/head
Matt Westcott 2020-07-20 10:08:46 +01:00
rodzic fc5c6bdff2
commit 457643e686
3 zmienionych plików z 28 dodań i 0 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

7
CHANGELOG.txt
Wyświetl plik

@ -190,6 +190,13 @@ Changelog
* Fix: Make sure all modal chooser search results correspond to the latest search by canceling previous requests (Esper Kuijs)
2.7.4 (20.07.2020)
~~~~~~~~~~~~~~~~~~
* Fix: CVE-2020-15118 - prevent HTML injection through form field help text (Timothy Bautista, Matt Westcott)
* Fix: Expand Pillow dependency range to include 7.x (Harris Lapiroff, Matt Westcott)
2.7.3 (04.05.2020)
~~~~~~~~~~~~~~~~~~

20
docs/releases/2.7.4.rst 100644
Wyświetl plik

@ -0,0 +1,20 @@
===========================
Wagtail 2.7.4 release notes
===========================
CVE-2020-15118: HTML injection through form field help text
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This release addresses an HTML injection vulnerability through help text in the ``wagtail.contrib.forms`` form builder app. When a form page type is made available to Wagtail editors, and the page template is built using Django's standard form rendering helpers such as ``form.as_p`` :ref:`(as directed in the documentation) <form_builder_usage>`, any HTML tags used within a form field's help text will be rendered unescaped in the page. Allowing HTML within help text is `an intentional design decision by Django <https://docs.djangoproject.com/en/3.0/ref/models/fields/#django.db.models.Field.help_text>`_; however, as a matter of policy Wagtail does not allow editors to insert arbitrary HTML by default, as this could potentially be used to carry out cross-site scripting attacks, including privilege escalation. This functionality should therefore not have been made available to editor-level users.
The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin.
Site owners who wish to re-enable the use of HTML within help text (and are willing to accept the risk of this being exploited by editors) may set ``WAGTAILFORMS_HELP_TEXT_ALLOW_HTML = True`` in their configuration settings.
Many thanks to Timothy Bautista for reporting this issue.
Additional fixes
~~~~~~~~~~~~~~~~
* Expand Pillow dependency range to include 7.x (Harris Lapiroff, Matt Westcott)

1
docs/releases/index.rst
Wyświetl plik

@ -12,6 +12,7 @@ Release notes
2.8.2
2.8.1
2.8
2.7.4
2.7.3
2.7.2
2.7.1