#11377: Filters should apply safe-ness rules to filter arguments ----------------------------------------+----------------------------------- Reporter: steveire | Owner: nobody Status: new | Milestone: Component: Template system | Version: 1.0 Keywords: filters escaping arguments | Stage: Unreviewed Has_patch: 1 | ----------------------------------------+----------------------------------- This was reported to security@, but is being treated as a normal bug because it requires lots of prerequisite knowledge from an attacker.
A filter uses is_safe=True to note that if given safe input it will generate safe output. However, it seems that only applies to the 'value' argument to the filter, but not to the 'arg' argument. The attached patch and test to the join filter may make this clear. Currently string literals and variables are rendered unescaped, so join05 and join07 fail. This could be exploitable if an attacker knew the join filter was used join arguments with another user-supplied argument. I have not looked extensively yet at other filters, but there could be others vulnerable to this. -- Ticket URL: <http://code.djangoproject.com/ticket/11377> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to django-updates@googlegroups.com To unsubscribe from this group, send email to django-updates+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~---