Opened 6 years ago

Closed 5 years ago

Last modified 5 years ago

#11377 closed (fixed)

Filters should apply safe-ness rules to filter arguments

Reported by: steveire Owned by: nobody
Component: Template system Version: 1.0
Severity: Keywords: filters escaping arguments
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

This was reported to security@, but is being treated as a normal bug because
it requires lots of prerequisite knowledge from an attacker.

A filter uses is_safe=True to note that if given safe input it will generate
safe output. However, it seems that only applies to the 'value' argument to
the filter, but not to the 'arg' argument.

The attached patch and test to the join filter may make this clear. Currently
string literals and variables are rendered unescaped, so join05 and join07
fail.

This could be exploitable if an attacker knew the join filter was used join
arguments with another user-supplied argument. I have not looked extensively
yet at other filters, but there could be others vulnerable to this.

Attachments (1)

cond_escape_join.patch (1.9 KB) - added by steveire 6 years ago.

Download all attachments as: .zip

Change History (5)

Changed 6 years ago by steveire

comment:1 Changed 6 years ago by Alex

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted

comment:2 Changed 5 years ago by jacob

  • Triage Stage changed from Accepted to Ready for checkin

comment:3 Changed 5 years ago by jacob

  • Resolution set to fixed
  • Status changed from new to closed

(In [13464]) Fixed #11377: the template join filter now correctly escapes the joiner, too.

Thanks, Stephen Kelly.

comment:4 Changed 5 years ago by jacob

(In [13465]) [1.2.X] Fixed #11377: the template join filter now correctly escapes the joiner, too.

Thanks, Stephen Kelly.

Backport of [13464] from trunk.

Note: See TracTickets for help on using tickets.
Back to Top