Merge pull request #551 from ubccr/fix-unprotected-eval

aebruno · web-flow · commit dcf57a7a48bc · 2023-07-12T20:52:16.000-04:00
Fix unprotected eval
diff --git a/AUTHORS.md b/AUTHORS.md
@@ -26,3 +26,4 @@
 - James Kruth
 - Steve Anthony
 - Jim Culbert
+- Alex Tucker
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # ColdFront Changelog
 
+## [1.1.5] - 2023-07-12
+
+- SECURITY BUG FIX: Unprotected eval when adding publication. [#551](https://github.com/ubccr/coldfront/pull/551)
+- Documentation improvements
+
 ## [1.1.4] - 2023-02-11
 
 - Datepicker changed to flatpickr. Remove jquery-ui [#438](https://github.com/ubccr/coldfront/issues/438)
diff --git a/coldfront/__init__.py b/coldfront/__init__.py
@@ -1,7 +1,7 @@
 import os
 import sys
 
-__version__ = '1.1.4'
+__version__ = '1.1.5'
 VERSION = __version__
 
 
diff --git a/coldfront/core/publication/views.py b/coldfront/core/publication/views.py
@@ -1,3 +1,4 @@
+import ast
 import re
 import uuid
 import requests
@@ -203,7 +204,7 @@ def dispatch(self, request, *args, **kwargs):
             return super().dispatch(request, *args, **kwargs)
 
     def post(self, request, *args, **kwargs):
-        pubs = eval(request.POST.get('pubs'))
+        pubs = ast.literal_eval(request.POST.get('pubs'))
         project_pk = self.kwargs.get('project_pk')
 
         project_obj = get_object_or_404(Project, pk=project_pk)
diff --git a/requirements.txt b/requirements.txt
@@ -2,7 +2,7 @@ arrow==1.2.3
 bibtexparser==1.4.0
 blessed==1.20.0
 chardet==5.1.0
-Django==3.2.17
+Django==3.2.20
 django-crispy-forms==1.14.0
 Faker==11.3.0
 fontawesome-free==5.15.4
diff --git a/setup.py b/setup.py
@@ -28,7 +28,7 @@
         'bibtexparser==1.4.0',
         'blessed==1.20.0',
         'chardet==5.1.0',
-        'Django==3.2.17',
+        'Django==3.2.20',
         'django-crispy-forms==1.14.0',
         'Faker==11.3.0',
         'fontawesome-free==5.15.4',
