Fixed a settings leak possibility in the date template filter.

This is a security fix.
2025-10-31 09:41:08 +00:00 · 2015-11-11 20:10:55 +01:00
parent 710e11d076
commit 316bc3fc94
4 changed files with 51 additions and 2 deletions
--- a/docs/releases/1.8.7.txt
+++ b/docs/releases/1.8.7.txt
@@ -4,11 +4,24 @@ Django 1.8.7 release notes

 *Under development*

-Django 1.8.7 fixes several bugs in 1.8.6.
+Django 1.8.7 fixes a security issue and several bugs in 1.8.6.

 Additionally, Django's vendored version of six, :mod:`django.utils.six`, has
 been upgraded to the latest release (1.10.0).

+Fixed settings leak possibility in ``date`` template filter
+===========================================================
+
+If an application allows users to specify an unvalidated format for dates and
+passes this format to the :tfilter:`date` filter, e.g.
+``{{ last_updated|date:user_date_format }}``, then a malicious user could
+obtain any secret in the application's settings by specifying a settings key
+instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
+
+To remedy this, the underlying function used by the ``date`` template filter,
+``django.utils.formats.get_format()``, now only allows accessing the date/time
+formatting settings.
+
 Bugfixes
 ========