Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter.

Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
author: Florian Apolloner <florian@apolloner.eu> 2021-12-27 14:53:18 +0100
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2022-01-04 10:03:56 +0100
commit: 761f449e0daf3de06b0132bd4d6dfcdeef578e26 (patch)
tree: 3665faa206ffb627d944e50e047bc8689d6cacff /django/template
parent: 968a3d01fa79f055f93a1c3ed1535ecbcbdbb842 (diff)
1 files changed, 17 insertions, 5 deletions
diff --git a/django/template/defaultfilters.py b/django/template/defaultfilters.py
index 13070b303b..0813cc9dad 100644
--- a/django/template/defaultfilters.py
+++ b/django/template/defaultfilters.py
@@ -22,7 +22,7 @@ from django.utils.text import (
 from django.utils.timesince import timesince, timeuntil
 from django.utils.translation import gettext, ngettext
 
-from .base import Variable, VariableDoesNotExist
+from .base import VARIABLE_ATTRIBUTE_SEPARATOR
 from .library import Library
 
 register = Library()
@@ -503,7 +503,7 @@ def striptags(value):
 def _property_resolver(arg):
     """
     When arg is convertible to float, behave like operator.itemgetter(arg)
-    Otherwise, behave like Variable(arg).resolve
+    Otherwise, chain __getitem__() and getattr().
 
     >>> _property_resolver(1)('abc')
     'b'
@@ -521,7 +521,19 @@ def _property_resolver(arg):
     try:
         float(arg)
     except ValueError:
-        return Variable(arg).resolve
+        if VARIABLE_ATTRIBUTE_SEPARATOR + '_' in arg or arg[0] == '_':
+            raise AttributeError('Access to private variables is forbidden.')
+        parts = arg.split(VARIABLE_ATTRIBUTE_SEPARATOR)
+
+        def resolve(value):
+            for part in parts:
+                try:
+                    value = value[part]
+                except (AttributeError, IndexError, KeyError, TypeError, ValueError):
+                    value = getattr(value, part)
+            return value
+
+        return resolve
     else:
         return itemgetter(arg)
 
@@ -534,7 +546,7 @@ def dictsort(value, arg):
     """
     try:
         return sorted(value, key=_property_resolver(arg))
-    except (TypeError, VariableDoesNotExist):
+    except (AttributeError, TypeError):
         return ''
 
 
@@ -546,7 +558,7 @@ def dictsortreversed(value, arg):
     """
     try:
         return sorted(value, key=_property_resolver(arg), reverse=True)
-    except (TypeError, VariableDoesNotExist):
+    except (AttributeError, TypeError):
         return ''
author	Florian Apolloner <florian@apolloner.eu>	2021-12-27 14:53:18 +0100
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2022-01-04 10:03:56 +0100
commit	761f449e0daf3de06b0132bd4d6dfcdeef578e26 (patch)
tree	3665faa206ffb627d944e50e047bc8689d6cacff /django/template
parent	968a3d01fa79f055f93a1c3ed1535ecbcbdbb842 (diff)