mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed a settings leak possibility in the date template filter.

Browse Source 
This is a security fix.
This commit is contained in:
Florian Apolloner
2015-11-11 20:10:55 +01:00
committed by Tim Graham
parent 710e11d076
commit 316bc3fc94
4 changed files with 51 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
docs/releases/1.7.11.txt
View File

@@ -4,7 +4,20 @@ Django 1.7.11 release notes
*Under development*
Django 1.7.11 fixes a data loss bug in 1.7.10.
Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10.
Fixed settings leak possibility in ``date`` template filter
===========================================================
If an application allows users to specify an unvalidated format for dates and
passes this format to the :tfilter:`date` filter, e.g.
``{{ last_updated|date:user_date_format }}``, then a malicious user could
obtain any secret in the application's settings by specifying a settings key
instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
To remedy this, the underlying function used by the ``date`` template filter,
``django.utils.formats.get_format()``, now only allows accessing the date/time
formatting settings.
Bugfixes
========