mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-23 21:59:11 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.

Browse Source 
Thanks Keryn Knight for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
This commit is contained in:
Markus Holtermann
2022-01-02 00:37:40 +01:00
committed by Mariusz Felisiak
parent 97a7274468
commit 394517f078
7 changed files with 87 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/ref/templates/builtins.txt
View File

@@ -194,7 +194,13 @@ from its first value when it's next encountered.
---------
Outputs a whole load of debugging information, including the current context
and imported modules.
and imported modules. ``{% debug %}`` outputs nothing when the :setting:`DEBUG`
setting is ``False``.
.. versionchanged:: 2.2.27
In older versions, debugging information was displayed when the
:setting:`DEBUG` setting was ``False``.
.. templatetag:: extends

10
docs/releases/2.2.27.txt
View File

@@ -6,4 +6,12 @@ Django 2.2.27 release notes
Django 2.2.27 fixes two security issues with severity "medium" in 2.2.26.
...
CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
=============================================================
The ``{% debug %}`` template tag didn't properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all context
variables are correctly escaped when the ``DEBUG`` setting is ``True``.

10
docs/releases/3.2.12.txt
View File

@@ -6,4 +6,12 @@ Django 3.2.12 release notes
Django 3.2.12 fixes two security issues with severity "medium" in 3.2.11.
...
CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
=============================================================
The ``{% debug %}`` template tag didn't properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all context
variables are correctly escaped when the ``DEBUG`` setting is ``True``.

10
docs/releases/4.0.2.txt
View File

@@ -8,6 +8,16 @@ Django 4.0.2 fixes two security issues with severity "medium" and several bugs
in 4.0.1. Also, the latest string translations from Transifex are incorporated,
with a special mention for Bulgarian (fully translated).
CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
=============================================================
The ``{% debug %}`` template tag didn't properly encode the current context,
posing an XSS attack vector.
In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
information when the ``DEBUG`` setting is ``False``, and it ensures all context
variables are correctly escaped when the ``DEBUG`` setting is ``True``.
Bugfixes
========