fix: Make some security measures explicit

Author: fsbraun

cms/admin/pageadmin.py

@@ -26,6 +26,7 @@
     HttpResponseBadRequest,
     HttpResponseForbidden,
     HttpResponseRedirect,
+    JsonResponse,
     QueryDict,
 )
 from django.shortcuts import get_object_or_404, render
@@ -343,7 +344,7 @@ def set_home(self, request, object_id):
             raise self._get_404_exception(object_id)
 
         if not page.is_potential_home():
-            return HttpResponseBadRequest(_("The page is not eligible to be home."))
+            return HttpResponseBadRequest(escape(_("The page is not eligible to be home.")))
 
         new_home_tree, old_home_tree = page.set_as_homepage(request.user)
 
@@ -389,7 +390,7 @@ def get_list(self, *args, **kwargs):
                         "redirect_url": page.get_absolute_url(language=language_code),
                     }
                 )
-            return HttpResponse(json.dumps(results), content_type="application/json")
+            return JsonResponse(results, safe=False)
         return HttpResponseForbidden()
 
     def changelist_view(self, request, extra_context=None):
@@ -555,15 +556,15 @@ def move_page(self, request, page_id, extra_context=None):
         form = self.move_form(request.POST or None, page=page, site=site)
 
         if not form.is_valid():
-            return jsonify_request(HttpResponseBadRequest(str(form.errors.get("__all__", _("error")))))
+            return jsonify_request(HttpResponseBadRequest(escape(form.errors.get("__all__", _("error")))))
 
         target = form.cleaned_data["target"]
         can_move_page = self.has_move_page_permission(request, obj=page)
 
         # Does the user have permissions to do this...?
         if not can_move_page or (target and not target.has_add_permission(user)):
             message = _("Error! You don't have permissions to move this page. Please reload the page")
-            return jsonify_request(HttpResponseForbidden(message))
+            return jsonify_request(HttpResponseForbidden(escape(message)))
 
         operation_token = send_pre_page_operation(
             request=request,
@@ -679,14 +680,14 @@ def copy_page(self, request, page_id):
             return jsonify_request(HttpResponseBadRequest(message))
 
         new_page = form.copy_page(user)
-        return HttpResponse(json.dumps({"id": new_page.pk}), content_type="application/json")
+        return JsonResponse({"id": new_page.pk})
 
     def edit_title_fields(self, request, page_id, language):
         page = self.get_object(request, object_id=page_id)
         translation = page.get_admin_content(language)
 
         if not self.has_change_permission(request, obj=page):
-            return HttpResponseForbidden(_("You do not have permission to edit this page"))
+            return HttpResponseForbidden(escape(_("You do not have permission to edit this page")))
 
         if page is None:
             raise self._get_404_exception(page_id)
@@ -1180,15 +1181,15 @@ def change_template(self, request, object_id):
 
         if get_cms_setting("TEMPLATES"):
             if to_template not in dict(get_cms_setting("TEMPLATES")):
-                return HttpResponseBadRequest(_("Template not valid"))
+                return HttpResponseBadRequest(escape(_("Template not valid")))
         else:
             if to_template not in (placeholder_set[0] for placeholder_set in get_cms_setting("PLACEHOLDERS")):
-                return HttpResponseBadRequest(_("Placeholder selection not valid"))
+                return HttpResponseBadRequest(escape(_("Placeholder selection not valid")))
 
         page_content.template = to_template
         page_content.save()
 
-        return HttpResponse(_("The template was successfully changed"))
+        return HttpResponse(escape(_("The template was successfully changed")))
 
     @require_POST
     @transaction.atomic
@@ -1205,7 +1206,7 @@ def copy_language(self, request, object_id):
         page = source_page_content.page
 
         if not target_language or target_language not in get_language_list(site_id=page.site_id):
-            return HttpResponseBadRequest(_("Language must be set to a supported language!"))
+            return HttpResponseBadRequest(escape(_("Language must be set to a supported language!")))
 
         target_page_content = page.get_content_obj(target_language, fallback=False)
 
@@ -1218,7 +1219,7 @@ def copy_language(self, request, object_id):
             plugins = placeholder.get_plugins_list(source_page_content.language)
 
             if not target.has_add_plugins_permission(request.user, plugins):
-                return HttpResponseForbidden(_("You do not have permission to copy these plugins."))
+                return HttpResponseForbidden(escape(_("You do not have permission to copy these plugins.")))
             copy_plugins_to_placeholder(plugins, target, language=target_language)
         return HttpResponse("ok")
 
@@ -1227,7 +1228,7 @@ def delete_view(self, request, object_id, extra_context=None):
         page = page_content.page
 
         if not self.has_delete_translation_permission(request, page_content.language, page):
-            return HttpResponseForbidden(_("You do not have permission to delete this page"))
+            return HttpResponseForbidden(escape(_("You do not have permission to delete this page")))
 
         if page is None:
             raise self._get_404_exception(object_id)
@@ -1291,7 +1292,7 @@ def change_innavigation(self, request, object_id):
             else:
                 # Only this page? Can be permissions or versioning, or ...
                 message = "You cannot change this page's navigation status"
-            return HttpResponseForbidden(_(message))
+            return HttpResponseForbidden(escape(_(message)))
 
         if page_content is None:
             raise self._get_404_exception(object_id)

cms/admin/placeholderadmin.py

@@ -14,8 +14,10 @@
     HttpResponseBadRequest,
     HttpResponseForbidden,
     HttpResponseNotFound,
+    JsonResponse,
 )
 from django.shortcuts import get_list_or_404, get_object_or_404
+from django.template.defaultfilters import escape
 from django.template.response import TemplateResponse
 from django.urls import include, re_path
 from django.utils.datastructures import MultiValueDict
@@ -386,12 +388,11 @@ def add_plugin(self, request):
 
         if not self.has_add_plugin_permission(request, placeholder, plugin_type):
             message = _('You do not have permission to add a plugin')
-            return HttpResponseForbidden(message)
+            return HttpResponseForbidden(escape(message))
 
         if not placeholder.check_source(request.user):
             message = _('You do not have permission to add a plugin')
-            return HttpResponseForbidden(message)
-
+            return HttpResponseForbidden(escape(message))
         plugin_class = plugin_pool.get_plugin(plugin_type)
         plugin_instance = plugin_class(plugin_class.model, self.admin_site)
 
@@ -464,7 +465,7 @@ def copy_plugins(self, request):
         target_placeholder = get_object_or_404(Placeholder, pk=target_placeholder_id)
 
         if not target_language or target_language not in get_language_list():
-            return HttpResponseBadRequest(_("Language must be set to a supported language!"))
+            return HttpResponseBadRequest(escape(_("Language must be set to a supported language!")))
 
         copy_to_clipboard = target_placeholder.pk == request.toolbar.clipboard.pk
         source_plugin_id = request.POST.get('source_plugin_id', None)
@@ -489,7 +490,7 @@ def copy_plugins(self, request):
                 target_placeholder,
             )
         data = get_plugin_tree(request, new_plugins)
-        return HttpResponse(json.dumps(data), content_type='application/json')
+        return JsonResponse(data)
 
     def _copy_plugin_to_clipboard(self, request, target_placeholder):
         source_language = request.POST['source_language']
@@ -624,15 +625,15 @@ def edit_plugin(self, request, plugin_id):
         try:
             plugin_id = int(plugin_id)
         except ValueError:
-            return HttpResponseNotFound(_("Plugin not found"))
+            return HttpResponseNotFound(escape(_("Plugin not found")))
 
         obj = self._get_plugin_from_id(plugin_id)
 
         # CMSPluginBase subclass instance
         plugin_instance = obj.get_plugin_class_instance(admin=self.admin_site)
 
         if not self.has_change_plugin_permission(request, obj):
-            return HttpResponseForbidden(_("You do not have permission to edit this plugin"))
+            return HttpResponseForbidden(escape(_("You do not have permission to edit this plugin")))
 
         if not obj.placeholder.check_source(request.user):
             message = _("You do not have permission to edit this plugin")
@@ -1115,11 +1116,11 @@ def clear_placeholder(self, request, placeholder_id):
 
         if not self.has_clear_placeholder_permission(request, placeholder, language):
             message = _("You do not have permission to clear this placeholder")
-            return HttpResponseForbidden(message)
+            return HttpResponseForbidden(escape(message))
 
         if not placeholder.check_source(request.user):
             message = _("You do not have permission to clear this placeholder")
-            raise PermissionDenied(message)
+            raise PermissionDenied(escape(message))
 
         opts = Placeholder._meta
         plugins = placeholder.get_plugins_list(language)
@@ -1136,7 +1137,7 @@ def clear_placeholder(self, request, placeholder_id):
             # The user has already confirmed the deletion.
             if perms_needed:
                 message = _("You do not have permission to clear this placeholder")
-                return HttpResponseForbidden(message)
+                return HttpResponseForbidden(escape(message))
 
             operation_token = self._send_pre_placeholder_operation(
                 request,

cms/admin/settingsadmin.py

@@ -9,6 +9,7 @@
     HttpResponse,
     HttpResponseBadRequest,
     HttpResponseRedirect,
+    JsonResponse,
 )
 from django.http.request import QueryDict
 from django.urls import Resolver404, path, re_path, resolve
@@ -59,8 +60,7 @@ def session_store(self, request):
         POST should have a settings parameter
         """
         if not request.user.is_staff:
-            return HttpResponse(json.dumps(""),
-                                content_type="application/json")
+            return JsonResponse("", status=403)
         if request.method == "POST":
             request.session['cms_settings'] = conditional_escape(request.POST['settings'])
             request.session.save()

cms/management/commands/startcmsproject.py

@@ -115,7 +115,7 @@ def install_requirements(self, project):
                     self.write_command(f'python -m pip install -r "{requirements}"')
                     result = subprocess.run(
                         [sys.executable, "-m", "pip", "install", "-r", requirements],
-                        capture_output=True, check=False,
+                        capture_output=True, check=False, shell=False,
                     )
                     if result.returncode:
                         self.stderr.write(self.style.ERROR(result.stderr.decode()))
@@ -132,7 +132,7 @@ def install_requirements(self, project):
 
     def run_management_command(self, commands, capture_output=False):
         self.write_command("python -m manage " + " ".join(commands))
-        result = subprocess.run([sys.executable, "-m", "manage"] + commands, capture_output=capture_output, check=False)
+        result = subprocess.run([sys.executable, "-m", "manage"] + commands, capture_output=capture_output, check=False, shell=False)
         if result.returncode:
             if capture_output:
                 self.stderr.write(self.style.ERROR(result.stderr.decode()))

cms/templates/cms/toolbar/render_plugin_block.html

@@ -1 +1 @@
-<div class="cms-plugin cms-plugin-{{ plugin.id|safe }}">{{ inner }}</div>
+{% load l10n %}<div class="cms-plugin cms-plugin-{{ plugin.id|unlocalize }}">{{ inner }}</div>