mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-03-12 18:30:48 +00:00
Code Issues 32 Releases Wiki Activity

[5.2.x] Added security guideline on reasonable size limitations when rendering content via the DTL.

Browse Source 
This also removes the need to add warnings for every Django template filter.

Backport of 582ba18d56167587e290545f113d3956e73a5801 from main.
This commit is contained in:
Sarah Boyce 2025-02-21 16:47:59 +01:00
parent 865337ae92
commit d637e251b4
2 changed files with 26 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
docs/internals/security.txt
View File

@ -168,6 +168,32 @@ Django contains many private and undocumented functions that are not part of
its public API. If a vulnerability depends on directly calling these internal its public API. If a vulnerability depends on directly calling these internal
functions in an unsafe way, it will not be considered a valid security issue. functions in an unsafe way, it will not be considered a valid security issue.
Content displayed by the Django Template Language must be under 100 KB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Django Template Language (DTL) is designed for building the content needed
to display web pages. In particular its text filters are meant for that kind of
usage.
For reference, the complete works of Shakespeare have about 3.5 million bytes
in plain-text ASCII encoding. Displaying such in a single request is beyond the
scope of almost all websites, and so outside the scope of the DTL too.
Text processing is expensive. Django makes no guarantee that DTL text filters
are never subject to degraded performance if passed deliberately crafted,
sufficiently large inputs. Under default configurations, Django makes it
difficult for sites to accidentally accept such payloads from untrusted
sources, but, if it is necessary to display large amounts of user-provided
content, its important that basic security measures are taken.
User-provided content should always be constrained to known maximum length. It
should be filtered to remove malicious content, and validated to match expected
formats. It should then be processed offline, if necessary, before being
displayed.
Proof of concepts which use over 100 KB of data to be processed by the DTL will
be considered invalid.
.. _security-report-evaluation: .. _security-report-evaluation:
How does Django evaluate a report How does Django evaluate a report

11
docs/ref/templates/builtins.txt
View File

@ -2922,17 +2922,6 @@ Django's built-in :tfilter:`escape` filter. The default value for
email addresses that contain single quotes (``'``), things won't work as email addresses that contain single quotes (``'``), things won't work as
expected. Apply this filter only to plain text. expected. Apply this filter only to plain text.
.. warning::
Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
can become severe when applied to user controlled values such as content
stored in a :class:`~django.db.models.TextField`. You can use
:tfilter:`truncatechars` to add a limit to such inputs:
.. code-block:: html+django
{{ value|truncatechars:500|urlize }}
.. templatefilter:: urlizetrunc .. templatefilter:: urlizetrunc
``urlizetrunc`` ``urlizetrunc``