[1.7.x] Fixed a settings leak possibility in the date template filter.

This is a security fix.
author: Florian Apolloner <florian@apolloner.eu> 2015-11-11 20:10:55 +0100
committer: Tim Graham <timograham@gmail.com> 2015-11-16 21:06:32 -0500
commit: 8a01c6b53169ee079cb21ac5919fdafcc8c5e172 (patch)
tree: 742c1dbff69233b1ee4e68a10fe280730112d9c8 /docs
parent: 3bd43598f73832793401a586e87290e011723530 (diff)
1 files changed, 14 insertions, 1 deletions
diff --git a/docs/releases/1.7.11.txt b/docs/releases/1.7.11.txt
index 7c6153eab1..8f2f5e7541 100644
--- a/docs/releases/1.7.11.txt
+++ b/docs/releases/1.7.11.txt
@@ -4,7 +4,20 @@ Django 1.7.11 release notes
 
 *Under development*
 
-Django 1.7.11 fixes a data loss bug in 1.7.10.
+Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10.
+
+Fixed settings leak possibility in ``date`` template filter
+===========================================================
+
+If an application allows users to specify an unvalidated format for dates and
+passes this format to the :tfilter:`date` filter, e.g.
+``{{ last_updated|date:user_date_format }}``, then a malicious user could
+obtain any secret in the application's settings by specifying a settings key
+instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
+
+To remedy this, the underlying function used by the ``date`` template filter,
+``django.utils.formats.get_format()``, now only allows accessing the date/time
+formatting settings.
 
 Bugfixes
 ========
author	Florian Apolloner <florian@apolloner.eu>	2015-11-11 20:10:55 +0100
committer	Tim Graham <timograham@gmail.com>	2015-11-16 21:06:32 -0500
commit	8a01c6b53169ee079cb21ac5919fdafcc8c5e172 (patch)
tree	742c1dbff69233b1ee4e68a10fe280730112d9c8 /docs
parent	3bd43598f73832793401a586e87290e011723530 (diff)