Security updates for django Filer and django CMS Attributes Field
The updated django Filer and django CMS Attributes Field releases are now available from our GitHub repositories and PyPi.
Details
django Filer introduced file upload validation in version 3. By default, binary or unidentified files could be uploaded and downloaded by a different person and executed by hand on a local machine. To avoid the risk of malware distributed this way, django Filer 3.3 now by default rejects binary files or unknown file types. You can allow them or run them through a virus checker by adjusting your project settings.
django CMS Attributes Fields did validate the attributes when validating the model field, but not when validating the form field. This lead to a security issue in apps that use the form field (not apps using the model field), e.g. in django CMS Frontend. This is fixed in django CMS Attributes Field 4.0. Also, attributes that execute JavaScript are disallowed by default.
We recommend all users of django Filer and django CMS Attributes Field to update to the new versions.
The security issue is of low severity, since an attacker needs to have access to the django CMS admin interface to exploit it.
Thanks again to Ali İltizar for the detailed report through our security email.
As ever, we remind our users and contributors that all security reports, patches and concerns be addressed only to our security team by email, at [email protected].
Please do not use GitHub, our email lists or Discord to report, address or otherwise discuss matters relating to security. Directly mail [email protected]
