If an application allows users to specify an unvalidated format for
dates and passes this format to the date filter, e.g. {{
last_updated|date:user_date_format }}, then a malicious user could
obtain any secret in the application’s settings by specifying a settings
key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".
To remedy this, the underlying function used by the date template
filter, django.utils.formats.get_format(), now only allows accessing the
date/time formatting settings.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
any | any | any | python2-django | < 1.8.7-1 | UNKNOWN |
any | any | any | python-django | < 1.8.7-1 | UNKNOWN |