Overview

File 0010-1.5.x-Fixed-a-settings-leak-possibility-in-the-date-.patch of Package python-django.openSUSE_13.1_Update

From 9c2fa72cb5da9a44f04dce3eeb9c5408b6d9d895 Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
Date: Wed, 18 Nov 2015 10:04:24 +0100
Subject: [PATCH 10/10] [1.5.x] Fixed a settings leak possibility in the date
 template filter.

This is a security fix.

bnc#955412
CVE-2015-8213: Settings leak possibility in ``date`` template filter
====================================================================

If an application allows users to specify an unvalidated format for
dates and passes this format to the ``date`` filter, e.g.
``{{ last_updated|date:user_date_format }}``, then a malicious user
could obtain any secret in the application's settings by specifying a
settings key instead of a date format. e.g. ``"SECRET_KEY"`` instead
of ``"j/m/Y"``.

To remedy this, the underlying function used by the ``date`` template
filter, ``django.utils.formats.get_format()``, now only allows
accessing the date/time formatting settings.
---
 django/utils/formats.py             | 21 +++++++++++++++++++++
 tests/regressiontests/i18n/tests.py |  4 ++++
 2 files changed, 25 insertions(+)

diff --git a/django/utils/formats.py b/django/utils/formats.py
index 03b9918..4c04473 100644
--- a/django/utils/formats.py
+++ b/django/utils/formats.py
@@ -27,6 +27,25 @@ ISO_INPUT_FORMATS = {
     ),
 }
 
+
+FORMAT_SETTINGS = frozenset([
+    'DECIMAL_SEPARATOR',
+    'THOUSAND_SEPARATOR',
+    'NUMBER_GROUPING',
+    'FIRST_DAY_OF_WEEK',
+    'MONTH_DAY_FORMAT',
+    'TIME_FORMAT',
+    'DATE_FORMAT',
+    'DATETIME_FORMAT',
+    'SHORT_DATE_FORMAT',
+    'SHORT_DATETIME_FORMAT',
+    'YEAR_MONTH_FORMAT',
+    'DATE_INPUT_FORMATS',
+    'TIME_INPUT_FORMATS',
+    'DATETIME_INPUT_FORMATS',
+])
+
+
 def reset_format_cache():
     """Clear any cached formats.
 
@@ -78,6 +97,8 @@ def get_format(format_type, lang=None, use_l10n=None):
     be localized (or not), overriding the value of settings.USE_L10N.
     """
     format_type = force_str(format_type)
+    if format_type not in FORMAT_SETTINGS:
+        return format_type
     if use_l10n or (use_l10n is None and settings.USE_L10N):
         if lang is None:
             lang = get_language()
diff --git a/tests/regressiontests/i18n/tests.py b/tests/regressiontests/i18n/tests.py
index d8af6f1..b974b08 100644
--- a/tests/regressiontests/i18n/tests.py
+++ b/tests/regressiontests/i18n/tests.py
@@ -693,6 +693,10 @@ class FormattingTests(TestCase):
                 self.assertEqual(template2.render(context), output2)
                 self.assertEqual(template3.render(context), output3)
 
+    def test_format_arbitrary_settings(self):
+        self.assertEqual(get_format('DEBUG'), 'DEBUG')
+
+
 class MiscTests(TestCase):
 
     def setUp(self):
-- 
2.6.2
openSUSE Build Service is sponsored by
Places