py-django: Fixed settings leak possibility in date template filter (CVE-2015-8213)
A vulnerability in date filter exposing information on application
settings was found.
If an application allows users to specify an unvalidated format for
dates and passes
this format to the ``date`` filter, e.g. ``{{
last_updated|date:user_date_format }}``,
then a malicious user could obtain any secret in the application’s
settings by specifying
a settings key instead of a date format. e.g. ``“SECRET_KEY”``
instead of ``“j/m/Y”``.
References:
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
(from redmine: issue id 4898, created on 2015-11-26, closed on 2015-11-30)
- Relations:
- child #4899 (closed)
- child #4900 (closed)
- child #4901 (closed)
- child #4902 (closed)
- Changesets:
- Revision 492a8b72 by Christian Kampka on 2015-11-30T13:32:47Z:
main/django1.5: security fix CVE-2015-8213
Fixed a settings leak possibility in the date template filter.
ref #4898
- Revision 219a75df by Christian Kampka on 2015-11-30T13:39:30Z:
main/django1.5: security fix CVE-2015-8213
Fixed a settings leak possibility in the date template filter.
ref #4898
- Revision 6a3b86bd by Christian Kampka on 2015-11-30T13:44:52Z:
main/py-django: security fix CVE-2015-8213
Fixed a settings leak possibility in the date template filter.
ref #4898