[2.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter.

Thanks to Dennis Brinkrolf for the report. Co-authored-by: Adam Johnson <me@adamj.eu>
author: Florian Apolloner <florian@apolloner.eu> 2021-12-27 14:53:18 +0100
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2022-01-04 10:20:31 +0100
commit: c9f648ccfac5ab90fb2829a66da4f77e68c7f93a (patch)
tree: e705dc71ee4d8d385a8330b267fada11141ba4f2 /docs/releases
parent: 2135637fdd5ce994de110affef9e67dffdf77277 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/docs/releases/2.2.26.txt b/docs/releases/2.2.26.txt
index 3444c491db..2ed9b32119 100644
--- a/docs/releases/2.2.26.txt
+++ b/docs/releases/2.2.26.txt
@@ -20,3 +20,19 @@ In order to mitigate this issue, relatively long values are now ignored by
 
 This issue has severity "medium" according to the :ref:`Django security policy
 <security-disclosure>`.
+
+CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter
+================================================================================
+
+Due to leveraging the Django Template Language's variable resolution logic, the
+:tfilter:`dictsort` template filter was potentially vulnerable to information
+disclosure or unintended method calls, if passed a suitably crafted key.
+
+In order to avoid this possibility, ``dictsort`` now works with a restricted
+resolution logic, that will not call methods, nor allow indexing on
+dictionaries.
+
+As a reminder, all untrusted user input should be validated before use.
+
+This issue has severity "low" according to the :ref:`Django security policy
+<security-disclosure>`.
author	Florian Apolloner <florian@apolloner.eu>	2021-12-27 14:53:18 +0100
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2022-01-04 10:20:31 +0100
commit	c9f648ccfac5ab90fb2829a66da4f77e68c7f93a (patch)
tree	e705dc71ee4d8d385a8330b267fada11141ba4f2 /docs/releases
parent	2135637fdd5ce994de110affef9e67dffdf77277 (diff)