Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/python/django/patches/CVE-2015-8213.patch
author Danek Duvall <danek.duvall@oracle.com>
Tue, 24 Nov 2015 15:23:56 -0800
changeset 5127 ef368afc826b
permissions -rw-r--r--
22264635 problem in PYTHON-MOD/DJANGO

https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/

CVE-2015-8213: Fixed settings leak possibility in date template filter

If an application allows users to specify an unvalidated format for dates
and passes this format to the date filter, e.g. {{
last_updated|date:user_date_format }}, then a malicious user could obtain
any secret in the application's settings by specifying a settings key
instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".

To remedy this, the underlying function used by the date template filter,
django.utils.formats.get_format(), now only allows accessing the date/time
formatting settings.

This is backported from the commit on the 1.7 branch:

    https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172

because upstream is no longer maintaining the 1.4 branch.

--- Django-1.4.22/django/utils/formats.py	Tue Aug 18 10:17:02 2015
+++ Django-1.4.22/django/utils/formats.py	Tue Nov 24 15:20:12 2015
@@ -15,6 +15,25 @@
 _format_cache = {}
 _format_modules_cache = {}
 
+
+FORMAT_SETTINGS = frozenset([
+    'DECIMAL_SEPARATOR',
+    'THOUSAND_SEPARATOR',
+    'NUMBER_GROUPING',
+    'FIRST_DAY_OF_WEEK',
+    'MONTH_DAY_FORMAT',
+    'TIME_FORMAT',
+    'DATE_FORMAT',
+    'DATETIME_FORMAT',
+    'SHORT_DATE_FORMAT',
+    'SHORT_DATETIME_FORMAT',
+    'YEAR_MONTH_FORMAT',
+    'DATE_INPUT_FORMATS',
+    'TIME_INPUT_FORMATS',
+    'DATETIME_INPUT_FORMATS',
+])
+
+
 def reset_format_cache():
     """Clear any cached formats.
 
@@ -66,6 +85,8 @@
     be localized (or not), overriding the value of settings.USE_L10N.
     """
     format_type = smart_str(format_type)
+    if format_type not in FORMAT_SETTINGS:
+        return format_type
     if use_l10n or (use_l10n is None and settings.USE_L10N):
         if lang is None:
             lang = get_language()
--- Django-1.4.22/tests/regressiontests/i18n/tests.py.orig	Tue Aug 18 10:17:02 2015
+++ Django-1.4.22/tests/regressiontests/i18n/tests.py	Tue Nov 24 15:19:03 2015
@@ -684,6 +684,10 @@
                 self.assertEqual(template2.render(context), output2)
                 self.assertEqual(template3.render(context), output3)
 
+    def test_format_arbitrary_settings(self):
+        self.assertEqual(get_format('DEBUG'), 'DEBUG')
+
+
 class MiscTests(TestCase):
 
     def setUp(self):
upstream/oracle/userland-gate