diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2021-12-27 14:53:18 +0100 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2022-01-04 10:19:49 +0100 |
| commit | c7fe895bca06daf12cc1670b56eaf72a1ef27a16 (patch) | |
| tree | 3773adc90d7a1d4e0148e0cdcdc42364228bd88a /docs | |
| parent | a8b32fe13bcaed1c0b772fdc53de84abc224fb20 (diff) | |
[3.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter.
Thanks to Dennis Brinkrolf for the report.
Co-authored-by: Adam Johnson <me@adamj.eu>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/templates/builtins.txt | 7 | ||||
| -rw-r--r-- | docs/releases/2.2.26.txt | 16 | ||||
| -rw-r--r-- | docs/releases/3.2.11.txt | 16 |
3 files changed, 39 insertions, 0 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 709f231729..ee7cc0eda3 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -1586,6 +1586,13 @@ produce empty output:: {{ values|dictsort:"0" }} +Ordering by elements at specified index is not supported on dictionaries. + +.. versionchanged:: 2.2.26 + + In older versions, ordering elements at specified index was supported on + dictionaries. + .. templatefilter:: dictsortreversed ``dictsortreversed`` diff --git a/docs/releases/2.2.26.txt b/docs/releases/2.2.26.txt index 3444c491db..2ed9b32119 100644 --- a/docs/releases/2.2.26.txt +++ b/docs/releases/2.2.26.txt @@ -20,3 +20,19 @@ In order to mitigate this issue, relatively long values are now ignored by This issue has severity "medium" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter +================================================================================ + +Due to leveraging the Django Template Language's variable resolution logic, the +:tfilter:`dictsort` template filter was potentially vulnerable to information +disclosure or unintended method calls, if passed a suitably crafted key. + +In order to avoid this possibility, ``dictsort`` now works with a restricted +resolution logic, that will not call methods, nor allow indexing on +dictionaries. + +As a reminder, all untrusted user input should be validated before use. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. diff --git a/docs/releases/3.2.11.txt b/docs/releases/3.2.11.txt index 621139033c..e715ae866f 100644 --- a/docs/releases/3.2.11.txt +++ b/docs/releases/3.2.11.txt @@ -20,3 +20,19 @@ In order to mitigate this issue, relatively long values are now ignored by This issue has severity "medium" according to the :ref:`Django security policy <security-disclosure>`. + +CVE-2021-45116: Potential information disclosure in ``dictsort`` template filter +================================================================================ + +Due to leveraging the Django Template Language's variable resolution logic, the +:tfilter:`dictsort` template filter was potentially vulnerable to information +disclosure or unintended method calls, if passed a suitably crafted key. + +In order to avoid this possibility, ``dictsort`` now works with a restricted +resolution logic, that will not call methods, nor allow indexing on +dictionaries. + +As a reminder, all untrusted user input should be validated before use. + +This issue has severity "low" according to the :ref:`Django security policy +<security-disclosure>`. |