Security updates of django CMS released

April 26, 2016

Today we released versions 3.0.17, 3.1.6, and 3.2.4 of django CMS. This is primarily a security release to change the default behaviour of template tags that, when used without care, could expose a site to successful privilege escalation attacks. All users are strongly encouraged to upgrade and to review their projects.

In addition to the security fixes announced here, each release contains further bug-fixes as noted in the respective release notes:

http://docs.django-cms.org/en/3.2.4/upgrade/3.2.4.html
http://docs.django-cms.org/en/3.1.6/upgrade/3.1.6.html
http://docs.django-cms.org/en/3.0.17/upgrade/3.0.17.html

Context

The render_model template tag in django CMS trusted its input by default, and required developers using it to ensure that it was not used to publish untrusted content. Though this was formally documented behaviour, it was too easy for the unwary developer to use the template tag without realising its implications.

This security patch makes it possible to tighten up that behaviour by escaping untrusted content (converting potentially harmful HTML/CSS/JavaScript characters to unharmful ones) unless the developer explicitly marks it as safe. A subsequent patch will make the new behaviour the default.

The behaviour is controlled by a new setting: CMS_UNESCAPED_RENDER_MODEL_TAGS with a default value of True. The default value allows users to upgrade to occur without making any changes, but does not change the problematic behaviour. That requires further action, described below.

Action required

To immediately improve the security of your project and to prepare for future releases of django CMS and related addons, the project administrator should:

Carefully review each use of the render_model template tags provided by django CMS, to check that all content which is rendered to a page using this template tag is cleansed of any potentially harmful HTML markup, CSS styles or Javascript.
If you are satisfied that the content can be guaranteed to be clean, then you can add the safe filter parameter to the render_model template tag, to render it without escaping.
If the content does not need to be displayed un-escaped, then no further action is required.
Once all template tags have been reviewed and adjusted where necessary, then set CMS_UNESCAPED_RENDER_MODEL_TAGS = False in the project settings.

CMS_UNESCAPED_RENDER_MODEL_TAGS = False changes the behaviour of the template tags so that unless explicitly specified otherwise, the system will treat their content as untrusted. In future releases this will become the default behaviour, and the setting will be removed.

Using the `safe` filter

The safe filter tells Django that the material it applies to can be trusted not to contain any potentially harmful HTML, CSS or JS, and that it should be rendered unescaped. It's available as a parameter on the render_model template tag:

{% render_model my_instance "my_field" "" "" "safe" %}

Or, if the template tag already uses filters, the safe filter may be applied in the normal, Django manner with a "pipe" ("|") symbol.

{% render_model my_instance "my_field" "" "" "truncate:2|safe" %}

Warning

The new behaviour is more stringent by default, and requires explicit intervention to override it for trusted content. Just as before however, the developer is responsible for ensuring that untrusted content is not passed to template tags that do not escape potentially harmful characters.

Addendum

When upgrading it is strongly advised that the package djangocms-text-ckeditor is also updated. For users upgrading (or just installing) django CMS 3.2.4 should upgrade to djangocms-text-ckeditor version 2.9.2 or later. Users upgrading to django CMS 3.0.x or 3.1.x should install version djangocms-text-ckeditor version 2.7.2 or later (but less than version 2.9.0).