diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/templates/builtins.txt | 7 | ||||
| -rw-r--r-- | docs/releases/2.2.26.txt | 16 |
2 files changed, 23 insertions, 0 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 65a162e3b0..bc24308ba4 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -1575,6 +1575,13 @@ produce empty output:: {{ values|dictsort:"0" }} +Ordering by elements at specified index is not supported on dictionaries. + +.. versionchanged:: 2.2.26 + + In older versions, ordering elements at specified index was supported on + dictionaries. + .. templatefilter:: dictsortreversed ``dictsortreversed`` diff --git a/docs/releases/2.2.26.txt b/docs/releases/2.2.26.txt index 3444c491db..2ed9b32119 100644 --- a/docs/releases/2.2.26.txt +++ b/docs/releases/2.2.26.txt @@ -20,3 +20,19 @@ In order to mitigate this issue, relatively long values are now ignored by This issue has severity "medium" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter +================================================================================ + +Due to leveraging the Django Template Language's variable resolution logic, the +:tfilter:`dictsort` template filter was potentially vulnerable to information +disclosure or unintended method calls, if passed a suitably crafted key. + +In order to avoid this possibility, ``dictsort`` now works with a restricted +resolution logic, that will not call methods, nor allow indexing on +dictionaries. + +As a reminder, all untrusted user input should be validated before use. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. |
