diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2021-12-27 14:53:18 +0100 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2022-01-04 10:10:14 +0100 |
| commit | 2a8ec7f546d6d5806e221ec948c5146b55bd7489 (patch) | |
| tree | 8823ffc9251de1afbbc630f2813c4d0dead22a12 /docs | |
| parent | df79ef03ac867c93caaa6be56bc69e66abfeef8f (diff) | |
[4.0.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter.
Thanks to Dennis Brinkrolf for the report.
Co-authored-by: Adam Johnson <me@adamj.eu>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/templates/builtins.txt | 7 | ||||
| -rw-r--r-- | docs/releases/2.2.26.txt | 16 | ||||
| -rw-r--r-- | docs/releases/3.2.11.txt | 16 | ||||
| -rw-r--r-- | docs/releases/4.0.1.txt | 16 |
4 files changed, 55 insertions, 0 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index baf0608a40..733cc3cdb2 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -1577,6 +1577,13 @@ produce empty output:: {{ values|dictsort:"0" }} +Ordering by elements at specified index is not supported on dictionaries. + +.. versionchanged:: 2.2.26 + + In older versions, ordering elements at specified index was supported on + dictionaries. + .. templatefilter:: dictsortreversed ``dictsortreversed`` diff --git a/docs/releases/2.2.26.txt b/docs/releases/2.2.26.txt index 3444c491db..2ed9b32119 100644 --- a/docs/releases/2.2.26.txt +++ b/docs/releases/2.2.26.txt @@ -20,3 +20,19 @@ In order to mitigate this issue, relatively long values are now ignored by This issue has severity "medium" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter +================================================================================ + +Due to leveraging the Django Template Language's variable resolution logic, the +:tfilter:`dictsort` template filter was potentially vulnerable to information +disclosure or unintended method calls, if passed a suitably crafted key. + +In order to avoid this possibility, ``dictsort`` now works with a restricted +resolution logic, that will not call methods, nor allow indexing on +dictionaries. + +As a reminder, all untrusted user input should be validated before use. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. diff --git a/docs/releases/3.2.11.txt b/docs/releases/3.2.11.txt index 621139033c..e715ae866f 100644 --- a/docs/releases/3.2.11.txt +++ b/docs/releases/3.2.11.txt @@ -20,3 +20,19 @@ In order to mitigate this issue, relatively long values are now ignored by This issue has severity "medium" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter +================================================================================ + +Due to leveraging the Django Template Language's variable resolution logic, the +:tfilter:`dictsort` template filter was potentially vulnerable to information +disclosure or unintended method calls, if passed a suitably crafted key. + +In order to avoid this possibility, ``dictsort`` now works with a restricted +resolution logic, that will not call methods, nor allow indexing on +dictionaries. + +As a reminder, all untrusted user input should be validated before use. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. diff --git a/docs/releases/4.0.1.txt b/docs/releases/4.0.1.txt index 9429a8afff..5335511f1e 100644 --- a/docs/releases/4.0.1.txt +++ b/docs/releases/4.0.1.txt @@ -21,6 +21,22 @@ In order to mitigate this issue, relatively long values are now ignored by This issue has severity "medium" according to the :ref:`Django security policy <security-disclosure>`. +CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter +================================================================================ + +Due to leveraging the Django Template Language's variable resolution logic, the +:tfilter:`dictsort` template filter was potentially vulnerable to information +disclosure or unintended method calls, if passed a suitably crafted key. + +In order to avoid this possibility, ``dictsort`` now works with a restricted +resolution logic, that will not call methods, nor allow indexing on +dictionaries. + +As a reminder, all untrusted user input should be validated before use. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. + Bugfixes ======== |
