summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMarkus Holtermann <info@markusholtermann.eu>2022-01-02 00:37:40 +0100
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2022-02-01 07:40:51 +0100
commit394517f07886495efcf79f95c7ee402a9437bd68 (patch)
treec7df4b0d112de18ab6caab569e1bde5f7915c218 /docs
parent97a72744681d0993b50dee952cf32cdf9650ad9f (diff)
Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.
Thanks Keryn Knight for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/templates/builtins.txt8
-rw-r--r--docs/releases/2.2.27.txt10
-rw-r--r--docs/releases/3.2.12.txt10
-rw-r--r--docs/releases/4.0.2.txt10
4 files changed, 35 insertions, 3 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index 08c1ca47e2..6f324e2b3b 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -194,7 +194,13 @@ from its first value when it's next encountered.
---------
Outputs a whole load of debugging information, including the current context
-and imported modules.
+and imported modules. ``{% debug %}`` outputs nothing when the :setting:`DEBUG`
+setting is ``False``.
+
+.. versionchanged:: 2.2.27
+
+ In older versions, debugging information was displayed when the
+ :setting:`DEBUG` setting was ``False``.
.. templatetag:: extends
diff --git a/docs/releases/2.2.27.txt b/docs/releases/2.2.27.txt
index a35082fa33..b1712c649c 100644
--- a/docs/releases/2.2.27.txt
+++ b/docs/releases/2.2.27.txt
@@ -6,4 +6,12 @@ Django 2.2.27 release notes
Django 2.2.27 fixes two security issues with severity "medium" in 2.2.26.
-...
+CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
+=============================================================
+
+The ``{% debug %}`` template tag didn't properly encode the current context,
+posing an XSS attack vector.
+
+In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
+information when the ``DEBUG`` setting is ``False``, and it ensures all context
+variables are correctly escaped when the ``DEBUG`` setting is ``True``.
diff --git a/docs/releases/3.2.12.txt b/docs/releases/3.2.12.txt
index 8e4e9149fe..31bc7d2c59 100644
--- a/docs/releases/3.2.12.txt
+++ b/docs/releases/3.2.12.txt
@@ -6,4 +6,12 @@ Django 3.2.12 release notes
Django 3.2.12 fixes two security issues with severity "medium" in 3.2.11.
-...
+CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
+=============================================================
+
+The ``{% debug %}`` template tag didn't properly encode the current context,
+posing an XSS attack vector.
+
+In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
+information when the ``DEBUG`` setting is ``False``, and it ensures all context
+variables are correctly escaped when the ``DEBUG`` setting is ``True``.
diff --git a/docs/releases/4.0.2.txt b/docs/releases/4.0.2.txt
index c5176e01fc..d949d49dd6 100644
--- a/docs/releases/4.0.2.txt
+++ b/docs/releases/4.0.2.txt
@@ -8,6 +8,16 @@ Django 4.0.2 fixes two security issues with severity "medium" and several bugs
in 4.0.1. Also, the latest string translations from Transifex are incorporated,
with a special mention for Bulgarian (fully translated).
+CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
+=============================================================
+
+The ``{% debug %}`` template tag didn't properly encode the current context,
+posing an XSS attack vector.
+
+In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
+information when the ``DEBUG`` setting is ``False``, and it ensures all context
+variables are correctly escaped when the ``DEBUG`` setting is ``True``.
+
Bugfixes
========