summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorFlorian Apolloner <florian@apolloner.eu>2021-12-27 14:53:18 +0100
committerCarlton Gibson <carlton.gibson@noumenal.es>2022-01-04 10:03:56 +0100
commit761f449e0daf3de06b0132bd4d6dfcdeef578e26 (patch)
tree3665faa206ffb627d944e50e047bc8689d6cacff /docs
parent968a3d01fa79f055f93a1c3ed1535ecbcbdbb842 (diff)
Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter.
Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/templates/builtins.txt7
-rw-r--r--docs/releases/2.2.26.txt16
-rw-r--r--docs/releases/3.2.11.txt16
-rw-r--r--docs/releases/4.0.1.txt16
4 files changed, 55 insertions, 0 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index f02a8f61c8..1fcfa1fa88 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -1577,6 +1577,13 @@ produce empty output::
{{ values|dictsort:"0" }}
+Ordering by elements at specified index is not supported on dictionaries.
+
+.. versionchanged:: 2.2.26
+
+ In older versions, ordering elements at specified index was supported on
+ dictionaries.
+
.. templatefilter:: dictsortreversed
``dictsortreversed``
diff --git a/docs/releases/2.2.26.txt b/docs/releases/2.2.26.txt
index 3444c491db..2ed9b32119 100644
--- a/docs/releases/2.2.26.txt
+++ b/docs/releases/2.2.26.txt
@@ -20,3 +20,19 @@ In order to mitigate this issue, relatively long values are now ignored by
This issue has severity "medium" according to the :ref:`Django security policy
<security-disclosure>`.
+
+CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter
+================================================================================
+
+Due to leveraging the Django Template Language's variable resolution logic, the
+:tfilter:`dictsort` template filter was potentially vulnerable to information
+disclosure or unintended method calls, if passed a suitably crafted key.
+
+In order to avoid this possibility, ``dictsort`` now works with a restricted
+resolution logic, that will not call methods, nor allow indexing on
+dictionaries.
+
+As a reminder, all untrusted user input should be validated before use.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/3.2.11.txt b/docs/releases/3.2.11.txt
index 621139033c..e715ae866f 100644
--- a/docs/releases/3.2.11.txt
+++ b/docs/releases/3.2.11.txt
@@ -20,3 +20,19 @@ In order to mitigate this issue, relatively long values are now ignored by
This issue has severity "medium" according to the :ref:`Django security policy
<security-disclosure>`.
+
+CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter
+================================================================================
+
+Due to leveraging the Django Template Language's variable resolution logic, the
+:tfilter:`dictsort` template filter was potentially vulnerable to information
+disclosure or unintended method calls, if passed a suitably crafted key.
+
+In order to avoid this possibility, ``dictsort`` now works with a restricted
+resolution logic, that will not call methods, nor allow indexing on
+dictionaries.
+
+As a reminder, all untrusted user input should be validated before use.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
diff --git a/docs/releases/4.0.1.txt b/docs/releases/4.0.1.txt
index 9429a8afff..5335511f1e 100644
--- a/docs/releases/4.0.1.txt
+++ b/docs/releases/4.0.1.txt
@@ -21,6 +21,22 @@ In order to mitigate this issue, relatively long values are now ignored by
This issue has severity "medium" according to the :ref:`Django security policy
<security-disclosure>`.
+CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter
+================================================================================
+
+Due to leveraging the Django Template Language's variable resolution logic, the
+:tfilter:`dictsort` template filter was potentially vulnerable to information
+disclosure or unintended method calls, if passed a suitably crafted key.
+
+In order to avoid this possibility, ``dictsort`` now works with a restricted
+resolution logic, that will not call methods, nor allow indexing on
+dictionaries.
+
+As a reminder, all untrusted user input should be validated before use.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
+
Bugfixes
========