diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2015-11-11 20:10:55 +0100 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-11-24 12:04:55 -0500 |
| commit | 3ebbda0aef9e7a90ac6208bb8f9bc21228e2c7da (patch) | |
| tree | d5ca8e7c58101e33c13b4a27c78a94b9901cd26a /docs | |
| parent | 11d54e8f0da96d355b8dff17af8d5aa6bb3386db (diff) | |
[1.9.x] Fixed a settings leak possibility in the date template filter.
This is a security fix.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.7.11.txt | 15 | ||||
| -rw-r--r-- | docs/releases/1.8.7.txt | 15 |
2 files changed, 28 insertions, 2 deletions
diff --git a/docs/releases/1.7.11.txt b/docs/releases/1.7.11.txt index 7c6153eab1..8f2f5e7541 100644 --- a/docs/releases/1.7.11.txt +++ b/docs/releases/1.7.11.txt @@ -4,7 +4,20 @@ Django 1.7.11 release notes *Under development* -Django 1.7.11 fixes a data loss bug in 1.7.10. +Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10. + +Fixed settings leak possibility in ``date`` template filter +=========================================================== + +If an application allows users to specify an unvalidated format for dates and +passes this format to the :tfilter:`date` filter, e.g. +``{{ last_updated|date:user_date_format }}``, then a malicious user could +obtain any secret in the application's settings by specifying a settings key +instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``. + +To remedy this, the underlying function used by the ``date`` template filter, +``django.utils.formats.get_format()``, now only allows accessing the date/time +formatting settings. Bugfixes ======== diff --git a/docs/releases/1.8.7.txt b/docs/releases/1.8.7.txt index 25f7712f10..77d5e9f901 100644 --- a/docs/releases/1.8.7.txt +++ b/docs/releases/1.8.7.txt @@ -4,11 +4,24 @@ Django 1.8.7 release notes *Under development* -Django 1.8.7 fixes several bugs in 1.8.6. +Django 1.8.7 fixes a security issue and several bugs in 1.8.6. Additionally, Django's vendored version of six, :mod:`django.utils.six`, has been upgraded to the latest release (1.10.0). +Fixed settings leak possibility in ``date`` template filter +=========================================================== + +If an application allows users to specify an unvalidated format for dates and +passes this format to the :tfilter:`date` filter, e.g. +``{{ last_updated|date:user_date_format }}``, then a malicious user could +obtain any secret in the application's settings by specifying a settings key +instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``. + +To remedy this, the underlying function used by the ``date`` template filter, +``django.utils.formats.get_format()``, now only allows accessing the date/time +formatting settings. + Bugfixes ======== |