Loading django/utils/formats.py +20 −0 Original line number Diff line number Diff line Loading @@ -31,6 +31,24 @@ ISO_INPUT_FORMATS = { } FORMAT_SETTINGS = frozenset([ 'DECIMAL_SEPARATOR', 'THOUSAND_SEPARATOR', 'NUMBER_GROUPING', 'FIRST_DAY_OF_WEEK', 'MONTH_DAY_FORMAT', 'TIME_FORMAT', 'DATE_FORMAT', 'DATETIME_FORMAT', 'SHORT_DATE_FORMAT', 'SHORT_DATETIME_FORMAT', 'YEAR_MONTH_FORMAT', 'DATE_INPUT_FORMATS', 'TIME_INPUT_FORMATS', 'DATETIME_INPUT_FORMATS', ]) def reset_format_cache(): """Clear any cached formats. Loading Loading @@ -85,6 +103,8 @@ def get_format(format_type, lang=None, use_l10n=None): be localized (or not), overriding the value of settings.USE_L10N. """ format_type = force_str(format_type) if format_type not in FORMAT_SETTINGS: return format_type if use_l10n or (use_l10n is None and settings.USE_L10N): if lang is None: lang = get_language() Loading docs/releases/1.7.11.txt +14 −1 Original line number Diff line number Diff line Loading @@ -4,7 +4,20 @@ Django 1.7.11 release notes *Under development* Django 1.7.11 fixes a data loss bug in 1.7.10. Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10. Fixed settings leak possibility in ``date`` template filter =========================================================== If an application allows users to specify an unvalidated format for dates and passes this format to the :tfilter:`date` filter, e.g. ``{{ last_updated|date:user_date_format }}``, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``. To remedy this, the underlying function used by the ``date`` template filter, ``django.utils.formats.get_format()``, now only allows accessing the date/time formatting settings. Bugfixes ======== Loading tests/i18n/tests.py +3 −0 Original line number Diff line number Diff line Loading @@ -828,6 +828,9 @@ class FormattingTests(TestCase): '<input id="id_date_added" name="date_added" type="hidden" value="31.12.2009 06:00:00" />; <input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />' ) def test_format_arbitrary_settings(self): self.assertEqual(get_format('DEBUG'), 'DEBUG') class MiscTests(TestCase): Loading Loading
django/utils/formats.py +20 −0 Original line number Diff line number Diff line Loading @@ -31,6 +31,24 @@ ISO_INPUT_FORMATS = { } FORMAT_SETTINGS = frozenset([ 'DECIMAL_SEPARATOR', 'THOUSAND_SEPARATOR', 'NUMBER_GROUPING', 'FIRST_DAY_OF_WEEK', 'MONTH_DAY_FORMAT', 'TIME_FORMAT', 'DATE_FORMAT', 'DATETIME_FORMAT', 'SHORT_DATE_FORMAT', 'SHORT_DATETIME_FORMAT', 'YEAR_MONTH_FORMAT', 'DATE_INPUT_FORMATS', 'TIME_INPUT_FORMATS', 'DATETIME_INPUT_FORMATS', ]) def reset_format_cache(): """Clear any cached formats. Loading Loading @@ -85,6 +103,8 @@ def get_format(format_type, lang=None, use_l10n=None): be localized (or not), overriding the value of settings.USE_L10N. """ format_type = force_str(format_type) if format_type not in FORMAT_SETTINGS: return format_type if use_l10n or (use_l10n is None and settings.USE_L10N): if lang is None: lang = get_language() Loading
docs/releases/1.7.11.txt +14 −1 Original line number Diff line number Diff line Loading @@ -4,7 +4,20 @@ Django 1.7.11 release notes *Under development* Django 1.7.11 fixes a data loss bug in 1.7.10. Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10. Fixed settings leak possibility in ``date`` template filter =========================================================== If an application allows users to specify an unvalidated format for dates and passes this format to the :tfilter:`date` filter, e.g. ``{{ last_updated|date:user_date_format }}``, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``. To remedy this, the underlying function used by the ``date`` template filter, ``django.utils.formats.get_format()``, now only allows accessing the date/time formatting settings. Bugfixes ======== Loading
tests/i18n/tests.py +3 −0 Original line number Diff line number Diff line Loading @@ -828,6 +828,9 @@ class FormattingTests(TestCase): '<input id="id_date_added" name="date_added" type="hidden" value="31.12.2009 06:00:00" />; <input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />' ) def test_format_arbitrary_settings(self): self.assertEqual(get_format('DEBUG'), 'DEBUG') class MiscTests(TestCase): Loading
