Overview

File 0004-1.6.x-Fixed-a-settings-leak-possibility-in-the-date-.patch of Package python-Django

From c1a1418273ecbc02161f40838a88213fffdb7232 Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Wed, 18 Nov 2015 10:04:24 +0100
Subject: [PATCH 4/4] [1.6.x] Fixed a settings leak possibility in the date
 template filter.

This is a security fix.

bnc#955412
CVE-2015-8213: Settings leak possibility in ``date`` template filter
====================================================================

If an application allows users to specify an unvalidated format for
dates and passes this format to the ``date`` filter, e.g.
``{{ last_updated|date:user_date_format }}``, then a malicious user
could obtain any secret in the application's settings by specifying a
settings key instead of a date format. e.g. ``"SECRET_KEY"`` instead
of ``"j/m/Y"``.

To remedy this, the underlying function used by the ``date`` template
filter, ``django.utils.formats.get_format()``, now only allows
accessing the date/time formatting settings.
---
 django/utils/formats.py | 21 +++++++++++++++++++++
 tests/i18n/tests.py     |  3 +++
 2 files changed, 24 insertions(+)

diff --git a/django/utils/formats.py b/django/utils/formats.py
index dbe1716..8b81b14 100644
--- a/django/utils/formats.py
+++ b/django/utils/formats.py
@@ -28,6 +28,25 @@ ISO_INPUT_FORMATS = {
     ),
 }
 
+
+FORMAT_SETTINGS = frozenset([
+    'DECIMAL_SEPARATOR',
+    'THOUSAND_SEPARATOR',
+    'NUMBER_GROUPING',
+    'FIRST_DAY_OF_WEEK',
+    'MONTH_DAY_FORMAT',
+    'TIME_FORMAT',
+    'DATE_FORMAT',
+    'DATETIME_FORMAT',
+    'SHORT_DATE_FORMAT',
+    'SHORT_DATETIME_FORMAT',
+    'YEAR_MONTH_FORMAT',
+    'DATE_INPUT_FORMATS',
+    'TIME_INPUT_FORMATS',
+    'DATETIME_INPUT_FORMATS',
+])
+
+
 def reset_format_cache():
     """Clear any cached formats.
 
@@ -79,6 +98,8 @@ def get_format(format_type, lang=None, use_l10n=None):
     be localized (or not), overriding the value of settings.USE_L10N.
     """
     format_type = force_str(format_type)
+    if format_type not in FORMAT_SETTINGS:
+        return format_type
     if use_l10n or (use_l10n is None and settings.USE_L10N):
         if lang is None:
             lang = get_language()
diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
index 9533baa..a24a56a 100644
--- a/tests/i18n/tests.py
+++ b/tests/i18n/tests.py
@@ -817,6 +817,9 @@ class FormattingTests(TransRealMixin, TestCase):
                 '<input id="id_date_added" name="date_added" type="hidden" value="31.12.2009 06:00:00" />; <input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />'
             )
 
+    def test_format_arbitrary_settings(self):
+        self.assertEqual(get_format('DEBUG'), 'DEBUG')
+
 
 class MiscTests(TransRealMixin, TestCase):
 
-- 
2.6.2
openSUSE Build Service is sponsored by
Places