CVE-2018-25045 REST framework before 3.9.1 allows XSS because the default Browsable API view templates disable autoescaping.

CVE-2018-25045 REST framework before 3.9.1 allows XSS because the default Browsable API view templates disable autoescaping.

This issue has been fixed in django-rest-framework 3.9.2 and later. We recommend updating your project to django-rest-framework 3.9.2 or later as soon as possible.

In order to prevent XSS attacks, the default DRF Browsable API view templates disable autoescaping. This prevents any application code from directly accessing the request variables or the response body and so cannot be used to inject malicious code into the request or response. In django-rest-framework 3.9.1 and earlier, the default DRF Browsable API view templates also included a hardcoded restriction that prevented setting the request's method to "POST". This prevents any application code from directly accessing the request's body and so cannot be used to inject malicious code into the request. These issues have been addressed in django-rest-framework 3.9.2 and later by fixing the above issues and by removing the restriction on POST methods.

Installation and Configuration Requirements

The following requirements are needed for this security update.
yum install epel-release yum install -y python-pip python-devel gcc make git
git clone https://github.com/django-rest-framework/rest_framework.git cd rest_framework/ pip3 install -r requirements.txt

What is django-rest-framework?

Django REST framework is a powerful and flexible toolkit for building Web APIs. It provides a range of high-quality tools that can help you handle your RESTful resources in Django, whether you're building a small project or an enterprise application.

How to Install or Upgrade django-rest-framework?

If you are using django-rest-framework 1.10 or earlier and want to upgrade, use pip to install the latest version of django-rest-framework:

$ pip install django-rest-framework==3.9.2

If you are using django-rest-framework 3.9.0 or earlier and want to upgrade, first upgrade your Python interpreter:

$ pip install -U python

How to update code to django-rest-framework 3.9.2


The easiest way to update your code is to run pip uninstall django-rest-framework and then pip install django-rest-framework 3.9.2 . We recommend running python setup.py install --upgrade to ensure all dependencies are also updated -- there may be some that need upgrading in order to run with this release

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe