Skip to content
Permalink
Browse files

[1.7.x] Fixed a settings leak possibility in the date template filter.

This is a security fix.
  • Loading branch information...
apollo13 authored and timgraham committed Nov 11, 2015
1 parent 3bd4359 commit 8a01c6b53169ee079cb21ac5919fdafcc8c5e172
Showing with 37 additions and 1 deletion.
  1. +20 −0 django/utils/formats.py
  2. +14 −1 docs/releases/1.7.11.txt
  3. +3 −0 tests/i18n/tests.py
@@ -31,6 +31,24 @@
}


FORMAT_SETTINGS = frozenset([
'DECIMAL_SEPARATOR',
'THOUSAND_SEPARATOR',
'NUMBER_GROUPING',
'FIRST_DAY_OF_WEEK',
'MONTH_DAY_FORMAT',
'TIME_FORMAT',
'DATE_FORMAT',
'DATETIME_FORMAT',
'SHORT_DATE_FORMAT',
'SHORT_DATETIME_FORMAT',
'YEAR_MONTH_FORMAT',
'DATE_INPUT_FORMATS',
'TIME_INPUT_FORMATS',
'DATETIME_INPUT_FORMATS',
])


def reset_format_cache():
"""Clear any cached formats.
@@ -85,6 +103,8 @@ def get_format(format_type, lang=None, use_l10n=None):
be localized (or not), overriding the value of settings.USE_L10N.
"""
format_type = force_str(format_type)
if format_type not in FORMAT_SETTINGS:
return format_type
if use_l10n or (use_l10n is None and settings.USE_L10N):
if lang is None:
lang = get_language()
@@ -4,7 +4,20 @@ Django 1.7.11 release notes

*Under development*

Django 1.7.11 fixes a data loss bug in 1.7.10.
Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10.

Fixed settings leak possibility in ``date`` template filter
===========================================================

If an application allows users to specify an unvalidated format for dates and
passes this format to the :tfilter:`date` filter, e.g.
``{{ last_updated|date:user_date_format }}``, then a malicious user could
obtain any secret in the application's settings by specifying a settings key
instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.

To remedy this, the underlying function used by the ``date`` template filter,
``django.utils.formats.get_format()``, now only allows accessing the date/time
formatting settings.

Bugfixes
========
@@ -828,6 +828,9 @@ def test_localized_as_text_as_hidden_input(self):
'<input id="id_date_added" name="date_added" type="hidden" value="31.12.2009 06:00:00" />; <input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />'
)

def test_format_arbitrary_settings(self):
self.assertEqual(get_format('DEBUG'), 'DEBUG')


class MiscTests(TestCase):

0 comments on commit 8a01c6b

Please sign in to comment.
You can’t perform that action at this time.