Mezzanine 1.0.9 Security Release

[Stephen McDonald]

I've released 1.0.9 as a security fix for 1.0.8, which prevents a non-superuser admin user from elevating their status to superuser.

It only contains this one change:

https://bitbucket.org/stephenmcd/mezzanine/changeset/40cbc47b8d8a

If an admin user was to create their own POST submit to any forms with a RichTextField, they could include JavaScript that does the following:

- Using AJAX GET request, retrieves a valid CSRF token from the user change view in the admin

- Using AJAX POST request, submit data to the user change view, with their own user ID and is_superuser set to true

If a superuser was then to view the page containing this content, the JavaScript would successfully update the malicious admin user's account to have superuser status.

The above fix adds the bleach library which removes potentially harmful HTML tags and attributes from any RichTextField instances, using whitelisted tags and attributes now defined in settings.

- 

--
Stephen McDonald
http://jupo.org

[Stephen McDonald]

Also thanks to Jonas Obrist from Django CMS for privately reporting the issue. They had the same problem as well, as would any Django app that allows arbitrary HTML to be saved and rendered.

I've also added a fix that can be used without upgrading thanks to the RICHTEXT_FILTER setting:

https://gist.github.com/2503671