Today the Django CMS team is issuing a security release for the 2.1 series, version 2.1.3, to fix a serious security issue. All 2.1 releases as well as any git checkout newer than April 8th 2010 are affected and anyone using any of these versions is strongly urged to upgrade immediately.
The security bug fixed in this release allowed any active staff users to add, edit and delete any plugin on any placeholder, due to missing permission checks in PlaceholderAdmin. This issue was solved and PlaceholderAdmin now correctly checks permissions on the respective models for users trying to add, edit or delete plugins.
The problem surfaced yesterday (21st of February 2011) while writing tests for a minor issue reported by Ben Hockey that PlaceholderAdmin does not check for limits set in CMS_PLACEHOLDER_CONF. We then investigated this issue thoroughly and were able to reproduce the issue as well as writing a patch for it.
Full list of changes in this release
- Fixed a serious security issue in PlaceholderAdmin, allowing any active staff user to add, edit and delete any plugin, many thanks to Ben Hockey for triggering the discovery of this bug.
- Fixed PlaceholderAdmin not respecting limits set in CMS_PLACEHOLDER_CONF, many thanks to Ben Hockey for reporting this.
- Fixed show_submenu template tag not respecting in_navigation flags on pages, thanks to Iacopo Spalletti for the patch.
- Fixed the way we prevent double-patching django.core.urlresolvers.reverse, thanks to Benjamin Wohlwend for the patch.
- django CMS 2.1
- django CMS develop branch
- django CMS git checkout after April 8th, 2010
Here are detailed instructions on how to upgrade your website with the most common tools to deploy them
If you have a strict version set in the [versions] directive, make sure it says 'django-cms = 2.1.3'. Run buildout again and restart your webserver.
Virtualenv + requirements.txt
If you have a fixed version, make sure it says 'django-cms == 2.1.3'. Activate your virtualenv and run `pip install -r requirements.txt`.
Activate your virtualenv and run `pip install django-cms==2.1.3`
Global installation (Unix based systems)
Run `sudo pip install django-cms==2.1.3`.
Manual installation (Unix based systems)
Download and extract https://github.com/divio/django-cms/zipball/2.1.3. Run `sudo setup.py install`.
General note concerning security
Please report any potential security issue you discover via private email to firstname.lastname@example.org. Please do not report it to the github issue tracker or any of the mailing lists.