diff options
| author | Markus Holtermann <info@markusholtermann.eu> | 2022-01-02 00:37:40 +0100 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-02-01 07:40:51 +0100 |
| commit | 394517f07886495efcf79f95c7ee402a9437bd68 (patch) | |
| tree | c7df4b0d112de18ab6caab569e1bde5f7915c218 /docs | |
| parent | 97a72744681d0993b50dee952cf32cdf9650ad9f (diff) | |
Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.
Thanks Keryn Knight for the report.
Co-authored-by: Adam Johnson <me@adamj.eu>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/templates/builtins.txt | 8 | ||||
| -rw-r--r-- | docs/releases/2.2.27.txt | 10 | ||||
| -rw-r--r-- | docs/releases/3.2.12.txt | 10 | ||||
| -rw-r--r-- | docs/releases/4.0.2.txt | 10 |
4 files changed, 35 insertions, 3 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 08c1ca47e2..6f324e2b3b 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -194,7 +194,13 @@ from its first value when it's next encountered. --------- Outputs a whole load of debugging information, including the current context -and imported modules. +and imported modules. ``{% debug %}`` outputs nothing when the :setting:`DEBUG` +setting is ``False``. + +.. versionchanged:: 2.2.27 + + In older versions, debugging information was displayed when the + :setting:`DEBUG` setting was ``False``. .. templatetag:: extends diff --git a/docs/releases/2.2.27.txt b/docs/releases/2.2.27.txt index a35082fa33..b1712c649c 100644 --- a/docs/releases/2.2.27.txt +++ b/docs/releases/2.2.27.txt @@ -6,4 +6,12 @@ Django 2.2.27 release notes Django 2.2.27 fixes two security issues with severity "medium" in 2.2.26. -... +CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag +============================================================= + +The ``{% debug %}`` template tag didn't properly encode the current context, +posing an XSS attack vector. + +In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an +information when the ``DEBUG`` setting is ``False``, and it ensures all context +variables are correctly escaped when the ``DEBUG`` setting is ``True``. diff --git a/docs/releases/3.2.12.txt b/docs/releases/3.2.12.txt index 8e4e9149fe..31bc7d2c59 100644 --- a/docs/releases/3.2.12.txt +++ b/docs/releases/3.2.12.txt @@ -6,4 +6,12 @@ Django 3.2.12 release notes Django 3.2.12 fixes two security issues with severity "medium" in 3.2.11. -... +CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag +============================================================= + +The ``{% debug %}`` template tag didn't properly encode the current context, +posing an XSS attack vector. + +In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an +information when the ``DEBUG`` setting is ``False``, and it ensures all context +variables are correctly escaped when the ``DEBUG`` setting is ``True``. diff --git a/docs/releases/4.0.2.txt b/docs/releases/4.0.2.txt index c5176e01fc..d949d49dd6 100644 --- a/docs/releases/4.0.2.txt +++ b/docs/releases/4.0.2.txt @@ -8,6 +8,16 @@ Django 4.0.2 fixes two security issues with severity "medium" and several bugs in 4.0.1. Also, the latest string translations from Transifex are incorporated, with a special mention for Bulgarian (fully translated). +CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag +============================================================= + +The ``{% debug %}`` template tag didn't properly encode the current context, +posing an XSS attack vector. + +In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an +information when the ``DEBUG`` setting is ``False``, and it ensures all context +variables are correctly escaped when the ``DEBUG`` setting is ``True``. + Bugfixes ======== |
