Django: CVE-2019-12308 AdminURLFieldWidget XSS (plus patched bundled jQuery for CVE-2019-11358)

[Carlton Gibson <carlton.gibson () gmail com>]

In accordance with `our security release policy
<https://docs.djangoproject.com/en/dev/internals/security/>`_, the Django team
is issuing `Django 1.11.21
<https://docs.djangoproject.com/en/dev/releases/1.11.21/>`_, `Django 2.1.9
<https://docs.djangoproject.com/en/dev/releases/2.1.9/>`_, and `Django 2.2.2
<https://docs.djangoproject.com/en/dev/releases/2.2.2/>`_. These releases
addresses the security issues detailed below. We encourage all users of Django
to upgrade as soon as possible.

CVE-2019-12308: AdminURLFieldWidget XSS
=======================================

The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
the provided value without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query parameter
payload, could result in an clickable JavaScript link.

``AdminURLFieldWidget`` now validates the provided value using ``URLValidator``
before displaying the clickable link. You may customise the validator by
passing a ``validator_class`` kwarg to ``AdminURLFieldWidget.__init__()``, e.g.
when using ``ModelAdmin.formfield_overrides``.

Affected versions
-----------------

* Django master development branch
* Django 2.2 before version 2.2.2
* Django 2.1 before version 2.1.9
* Django 1.11 before version 1.11.21

Patched bundled jQuery for CVE-2019-11358: Prototype pollution
==============================================================

jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
``Object.prototype`` pollution. If an unsanitized source object contained an
enumerable ``__proto__`` property, it could extend the native
``Object.prototype``.

The bundled version of jQuery used by the Django admin has been patched to
allow for the ``select2`` library's use of ``jQuery.extend()``.

Affected versions
-----------------

* Django master development branch
* Django 2.2 before version 2.2.2
* Django 2.1 before version 2.1.9

Resolution
==========

Patches to resolve these issues have been applied to Django's master branch and
the 2.2, 2.1, and 1.11 release branches. The patches may be obtained from the
following changesets:

On the master branch:

* `Admin XSS <https://github.com/django/django/commit/deeba6d92006999fee9adfbd8be79bf0a59e8008>`__
* `jQuery prototype pollution <https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f>`__

On the 2.2 release branch:

* `Admin XSS <https://github.com/django/django/commit/afddabf8428ddc89a332f7a78d0d21eaf2b5a673>`__
* `jQuery prototype pollution <https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad>`__

On the 2.1 release branch:

* `Admin XSS <https://github.com/django/django/commit/09186a13d975de6d049f8b3e05484f66b01ece62>`__
* `jQuery prototype pollution <https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829>`__

On the 1.11 release branch:

* `Admin XSS <https://github.com/django/django/commit/c238701859a52d584f349cce15d56c8e8137c52b>`__

The following releases have been issued:

* Django 1.11.21 (`download Django 1.11.21 <https://www.djangoproject.com/m/releases/1.11/Django-1.11.21.tar.gz>`_ | 
`1.11.21 checksums <https://www.djangoproject.com/m/pgp/Django-1.11.21.checksum.txt>`_)
* Django 2.1.9 (`download Django 2.1.9 <https://www.djangoproject.com/m/releases/2.1/Django-2.1.9.tar.gz>`_ | `2.1.9 
checksums <https://www.djangoproject.com/m/pgp/Django-2.1.9.checksum.txt>`_)
* Django 2.2.2 (`download Django 2.2.2 <https://www.djangoproject.com/m/releases/2.1/Django-2.2.2.tar.gz>`_ | `2.2.2 
checksums <https://www.djangoproject.com/m/pgp/Django-2.2.2.checksum.txt>`_)


The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting
==========================================

As always, we ask that potential security issues be reported via
private email to ``security () djangoproject com``, and not via Django's
Trac instance or the django-developers list. Please see `our security
policies <https://www.djangoproject.com/security/>`_ for further
information.