From 3ebbda0aef9e7a90ac6208bb8f9bc21228e2c7da Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Wed, 11 Nov 2015 20:10:55 +0100 Subject: [1.9.x] Fixed a settings leak possibility in the date template filter. This is a security fix. --- docs/releases/1.7.11.txt | 15 ++++++++++++++- docs/releases/1.8.7.txt | 15 ++++++++++++++- 2 files changed, 28 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/releases/1.7.11.txt b/docs/releases/1.7.11.txt index 7c6153eab1..8f2f5e7541 100644 --- a/docs/releases/1.7.11.txt +++ b/docs/releases/1.7.11.txt @@ -4,7 +4,20 @@ Django 1.7.11 release notes *Under development* -Django 1.7.11 fixes a data loss bug in 1.7.10. +Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10. + +Fixed settings leak possibility in ``date`` template filter +=========================================================== + +If an application allows users to specify an unvalidated format for dates and +passes this format to the :tfilter:`date` filter, e.g. +``{{ last_updated|date:user_date_format }}``, then a malicious user could +obtain any secret in the application's settings by specifying a settings key +instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``. + +To remedy this, the underlying function used by the ``date`` template filter, +``django.utils.formats.get_format()``, now only allows accessing the date/time +formatting settings. Bugfixes ======== diff --git a/docs/releases/1.8.7.txt b/docs/releases/1.8.7.txt index 25f7712f10..77d5e9f901 100644 --- a/docs/releases/1.8.7.txt +++ b/docs/releases/1.8.7.txt @@ -4,11 +4,24 @@ Django 1.8.7 release notes *Under development* -Django 1.8.7 fixes several bugs in 1.8.6. +Django 1.8.7 fixes a security issue and several bugs in 1.8.6. Additionally, Django's vendored version of six, :mod:`django.utils.six`, has been upgraded to the latest release (1.10.0). +Fixed settings leak possibility in ``date`` template filter +=========================================================== + +If an application allows users to specify an unvalidated format for dates and +passes this format to the :tfilter:`date` filter, e.g. +``{{ last_updated|date:user_date_format }}``, then a malicious user could +obtain any secret in the application's settings by specifying a settings key +instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``. + +To remedy this, the underlying function used by the ``date`` template filter, +``django.utils.formats.get_format()``, now only allows accessing the date/time +formatting settings. + Bugfixes ======== -- cgit v1.3