Skip to content

Commit 316bc3f

Browse files
apollo13timgraham
authored andcommitted
Fixed a settings leak possibility in the date template filter.
This is a security fix.
1 parent 710e11d commit 316bc3f

File tree

4 files changed

+51
-2
lines changed

4 files changed

+51
-2
lines changed

Diff for: django/utils/formats.py

+20
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,24 @@
3030
}
3131

3232

33+
FORMAT_SETTINGS = frozenset([
34+
'DECIMAL_SEPARATOR',
35+
'THOUSAND_SEPARATOR',
36+
'NUMBER_GROUPING',
37+
'FIRST_DAY_OF_WEEK',
38+
'MONTH_DAY_FORMAT',
39+
'TIME_FORMAT',
40+
'DATE_FORMAT',
41+
'DATETIME_FORMAT',
42+
'SHORT_DATE_FORMAT',
43+
'SHORT_DATETIME_FORMAT',
44+
'YEAR_MONTH_FORMAT',
45+
'DATE_INPUT_FORMATS',
46+
'TIME_INPUT_FORMATS',
47+
'DATETIME_INPUT_FORMATS',
48+
])
49+
50+
3351
def reset_format_cache():
3452
"""Clear any cached formats.
3553
@@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None):
92110
be localized (or not), overriding the value of settings.USE_L10N.
93111
"""
94112
format_type = force_str(format_type)
113+
if format_type not in FORMAT_SETTINGS:
114+
return format_type
95115
if use_l10n or (use_l10n is None and settings.USE_L10N):
96116
if lang is None:
97117
lang = get_language()

Diff for: docs/releases/1.7.11.txt

+14-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,20 @@ Django 1.7.11 release notes
44

55
*Under development*
66

7-
Django 1.7.11 fixes a data loss bug in 1.7.10.
7+
Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10.
8+
9+
Fixed settings leak possibility in ``date`` template filter
10+
===========================================================
11+
12+
If an application allows users to specify an unvalidated format for dates and
13+
passes this format to the :tfilter:`date` filter, e.g.
14+
``{{ last_updated|date:user_date_format }}``, then a malicious user could
15+
obtain any secret in the application's settings by specifying a settings key
16+
instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
17+
18+
To remedy this, the underlying function used by the ``date`` template filter,
19+
``django.utils.formats.get_format()``, now only allows accessing the date/time
20+
formatting settings.
821

922
Bugfixes
1023
========

Diff for: docs/releases/1.8.7.txt

+14-1
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,24 @@ Django 1.8.7 release notes
44

55
*Under development*
66

7-
Django 1.8.7 fixes several bugs in 1.8.6.
7+
Django 1.8.7 fixes a security issue and several bugs in 1.8.6.
88

99
Additionally, Django's vendored version of six, :mod:`django.utils.six`, has
1010
been upgraded to the latest release (1.10.0).
1111

12+
Fixed settings leak possibility in ``date`` template filter
13+
===========================================================
14+
15+
If an application allows users to specify an unvalidated format for dates and
16+
passes this format to the :tfilter:`date` filter, e.g.
17+
``{{ last_updated|date:user_date_format }}``, then a malicious user could
18+
obtain any secret in the application's settings by specifying a settings key
19+
instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
20+
21+
To remedy this, the underlying function used by the ``date`` template filter,
22+
``django.utils.formats.get_format()``, now only allows accessing the date/time
23+
formatting settings.
24+
1225
Bugfixes
1326
========
1427

Diff for: tests/i18n/tests.py

+3
Original file line numberDiff line numberDiff line change
@@ -1249,6 +1249,9 @@ def test_localized_as_text_as_hidden_input(self):
12491249
'<input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />'
12501250
)
12511251

1252+
def test_format_arbitrary_settings(self):
1253+
self.assertEqual(get_format('DEBUG'), 'DEBUG')
1254+
12521255

12531256
class MiscTests(SimpleTestCase):
12541257

0 commit comments

Comments
 (0)