Hi! I have a question regarding the fix for CVE-2021-45116. In this fix the resolving logic for 'paths' passed to dictsort is simplified to no longer support indexing into lists, nor to support method-calls on objects.
The explanation here is that: > Due to leveraging the Django Template Language's variable resolution logic, > the dictsort template filter was potentially vulnerable to information > disclosure or unintended method calls, if passed a suitably crafted key. Unfortunately (at least for us), this breaks the case where dictsort was used with a static argument that looked up a callable. A quick code search showed that the pattern dictsort.*get​ (https://github.com/search?q=%22dictsort.*get%22&type=Code) is less used than I would expect it to be used, but used nonetheless. On the other hand, searching publicly viewable code for cases where dictsort gets a dynamic value yields very little results: https://grep.app/search?q=dictsort%3A%5B%5E%22%270-9%5D®exp=true&case=true, only one which I can recognize as a Django template: https://github.com/crodas/Haanga/blob/develop/tests/assert_templates/regroup.tpl#L3 . Since the previous behaviour of allowing callables was in place already in 2005, (I could find https://github.com/django/django/commit/ed114e15106192b22ebb78ef5bf5bce72b419d13#diff-e05e2e8efbf1fa5eea1ffee16cc8b740cba7b1bff746b2e55cebf968a0983f2cR192, where the filter is introduced), I would argue that even though it may not have been explicitly documented that this syntax allows callables, I don't think it's far fetched to consider it to always have supported. However, before creating a ticket, I was wondering what the sentiment of django-developers is here. My own sentiments are summarized by what's also mentioned in the announcement blogpost. > As a reminder, all untrusted user input should be validated before use. As an example, even with the change, {% for user in users|dictsort:"password" %} would still be supported, which is still be counted as potential information disclosure. Kind regards, Sjoerd Job Postmus ________________________________ From: django-developers@googlegroups.com <django-developers@googlegroups.com> on behalf of Carlton Gibson <carlton.gib...@gmail.com> Sent: 04 January 2022 11:03 To: django-annou...@googlegroups.com <django-annou...@googlegroups.com>; Django developers (Contributions to Django itself) <django-developers@googlegroups.com>; django-us...@googlegroups.com <django-us...@googlegroups.com> Subject: Django security releases issued: 4.0.1, 3.2.11, and 2.2.26 Details are available on the Django project weblog: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com<mailto:django-developers+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAJwKpyRqsW8dtfD0KNuHoztipNZ-D9tbyqo1npsOv60fjeE%3DBw%40mail.gmail.com<https://groups.google.com/d/msgid/django-developers/CAJwKpyRqsW8dtfD0KNuHoztipNZ-D9tbyqo1npsOv60fjeE%3DBw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/AM9PR09MB5089BF8C4FCCDDAA46216E76AB4A9%40AM9PR09MB5089.eurprd09.prod.outlook.com.
