summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorFlorian Apolloner <florian@apolloner.eu>2021-12-27 14:53:18 +0100
committerCarlton Gibson <carlton.gibson@noumenal.es>2022-01-04 10:20:31 +0100
commitc9f648ccfac5ab90fb2829a66da4f77e68c7f93a (patch)
treee705dc71ee4d8d385a8330b267fada11141ba4f2 /docs
parent2135637fdd5ce994de110affef9e67dffdf77277 (diff)
[2.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter.
Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/templates/builtins.txt7
-rw-r--r--docs/releases/2.2.26.txt16
2 files changed, 23 insertions, 0 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index 65a162e3b0..bc24308ba4 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -1575,6 +1575,13 @@ produce empty output::
{{ values|dictsort:"0" }}
+Ordering by elements at specified index is not supported on dictionaries.
+
+.. versionchanged:: 2.2.26
+
+ In older versions, ordering elements at specified index was supported on
+ dictionaries.
+
.. templatefilter:: dictsortreversed
``dictsortreversed``
diff --git a/docs/releases/2.2.26.txt b/docs/releases/2.2.26.txt
index 3444c491db..2ed9b32119 100644
--- a/docs/releases/2.2.26.txt
+++ b/docs/releases/2.2.26.txt
@@ -20,3 +20,19 @@ In order to mitigate this issue, relatively long values are now ignored by
This issue has severity "medium" according to the :ref:`Django security policy
<security-disclosure>`.
+
+CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter
+================================================================================
+
+Due to leveraging the Django Template Language's variable resolution logic, the
+:tfilter:`dictsort` template filter was potentially vulnerable to information
+disclosure or unintended method calls, if passed a suitably crafted key.
+
+In order to avoid this possibility, ``dictsort`` now works with a restricted
+resolution logic, that will not call methods, nor allow indexing on
+dictionaries.
+
+As a reminder, all untrusted user input should be validated before use.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.