[3.0] py-django: Fixed settings leak possibility in date template filter (CVE-2015-8213)
A vulnerability in date filter exposing information on application
settings was found.
If an application allows users to specify an unvalidated format for
dates and passes
this format to the ``date`` filter, e.g. ``{{
last_updated|date:user_date_format }}``,
then a malicious user could obtain any secret in the application’s
settings by specifying
a settings key instead of a date format. e.g. ``“SECRET_KEY”``
instead of ``“j/m/Y”``.
References:
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
Patch for 1.7.x
https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172
(from redmine: issue id 4902, created on 2015-11-26, closed on 2015-11-30)
- Relations:
- parent #4898 (closed)
- Changesets:
- Revision ceac7c45 by Christian Kampka on 2015-11-30T13:43:02Z:
main/py-django: security fix CVE-2015-8213
Fixed a settings leak possibility in the date template filter.
fixes #4902