November 24, 2015
Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10.
date
template filter¶If an application allows users to specify an unvalidated format for dates and
passes this format to the date
filter, e.g.
{{ last_updated|date:user_date_format }}
, then a malicious user could
obtain any secret in the application’s settings by specifying a settings key
instead of a date format. e.g. "SECRET_KEY"
instead of "j/m/Y"
.
To remedy this, the underlying function used by the date
template filter,
django.utils.formats.get_format()
, now only allows accessing the date/time
formatting settings.
Jun 22, 2017