Skip to content

Commit

Permalink
Merge pull request #551 from ubccr/fix-unprotected-eval
Browse files Browse the repository at this point in the history
Fix unprotected eval
  • Loading branch information
aebruno authored Jul 13, 2023
2 parents d3b1da6 + 4f6aeb9 commit dcf57a7
Show file tree
Hide file tree
Showing 6 changed files with 11 additions and 4 deletions.
1 change: 1 addition & 0 deletions AUTHORS.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,4 @@
- James Kruth
- Steve Anthony
- Jim Culbert
- Alex Tucker
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# ColdFront Changelog

## [1.1.5] - 2023-07-12

- SECURITY BUG FIX: Unprotected eval when adding publication. [#551](https://github.com/ubccr/coldfront/pull/551)
- Documentation improvements

## [1.1.4] - 2023-02-11

- Datepicker changed to flatpickr. Remove jquery-ui [#438](https://github.com/ubccr/coldfront/issues/438)
Expand Down
2 changes: 1 addition & 1 deletion coldfront/__init__.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import os
import sys

__version__ = '1.1.4'
__version__ = '1.1.5'
VERSION = __version__


Expand Down
3 changes: 2 additions & 1 deletion coldfront/core/publication/views.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import ast
import re
import uuid
import requests
Expand Down Expand Up @@ -203,7 +204,7 @@ def dispatch(self, request, *args, **kwargs):
return super().dispatch(request, *args, **kwargs)

def post(self, request, *args, **kwargs):
pubs = eval(request.POST.get('pubs'))
pubs = ast.literal_eval(request.POST.get('pubs'))
project_pk = self.kwargs.get('project_pk')

project_obj = get_object_or_404(Project, pk=project_pk)
Expand Down
2 changes: 1 addition & 1 deletion requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ arrow==1.2.3
bibtexparser==1.4.0
blessed==1.20.0
chardet==5.1.0
Django==3.2.17
Django==3.2.20
django-crispy-forms==1.14.0
Faker==11.3.0
fontawesome-free==5.15.4
Expand Down
2 changes: 1 addition & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
'bibtexparser==1.4.0',
'blessed==1.20.0',
'chardet==5.1.0',
'Django==3.2.17',
'Django==3.2.20',
'django-crispy-forms==1.14.0',
'Faker==11.3.0',
'fontawesome-free==5.15.4',
Expand Down

0 comments on commit dcf57a7

Please sign in to comment.