From c9f648ccfac5ab90fb2829a66da4f77e68c7f93a Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Mon, 27 Dec 2021 14:53:18 +0100 Subject: [2.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter. Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson --- docs/ref/templates/builtins.txt | 7 +++++++ docs/releases/2.2.26.txt | 16 ++++++++++++++++ 2 files changed, 23 insertions(+) (limited to 'docs') diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 65a162e3b0..bc24308ba4 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -1575,6 +1575,13 @@ produce empty output:: {{ values|dictsort:"0" }} +Ordering by elements at specified index is not supported on dictionaries. + +.. versionchanged:: 2.2.26 + + In older versions, ordering elements at specified index was supported on + dictionaries. + .. templatefilter:: dictsortreversed ``dictsortreversed`` diff --git a/docs/releases/2.2.26.txt b/docs/releases/2.2.26.txt index 3444c491db..2ed9b32119 100644 --- a/docs/releases/2.2.26.txt +++ b/docs/releases/2.2.26.txt @@ -20,3 +20,19 @@ In order to mitigate this issue, relatively long values are now ignored by This issue has severity "medium" according to the :ref:`Django security policy `. + +CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter +================================================================================ + +Due to leveraging the Django Template Language's variable resolution logic, the +:tfilter:`dictsort` template filter was potentially vulnerable to information +disclosure or unintended method calls, if passed a suitably crafted key. + +In order to avoid this possibility, ``dictsort`` now works with a restricted +resolution logic, that will not call methods, nor allow indexing on +dictionaries. + +As a reminder, all untrusted user input should be validated before use. + +This issue has severity "low" according to the :ref:`Django security policy +`. -- cgit v1.3