[3.3] py-django: Fixed settings leak possibility in date template filter (CVE-2015-8213)
A vulnerability in date filter exposing information on application
settings was found.
If an application allows users to specify an unvalidated format for
dates and passes
this format to the ``date`` filter, e.g. ``{{
last_updated|date:user_date_format }}``,
then a malicious user could obtain any secret in the application’s
settings by specifying
a settings key instead of a date format. e.g. ``“SECRET_KEY”``
instead of ``“j/m/Y”``.
References:
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
(from redmine: issue id 4900, created on 2015-11-26, closed on 2015-11-30)
- Relations:
- parent #4898 (closed)