Opened 16 months ago

Closed 16 months ago

Last modified 16 months ago

#34770 closed Bug (invalid)

Default autoescape off in password_reset_email.html

Reported by: Yi Ming Yung Owned by: Yi Ming Yung
Component: contrib.auth Version: 4.2
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In the source code, the contents of password_reset_email.html has {% autoescape off %} by default. This causes none of the variables being put into the template to be escaped properly. This can lead to some simple html injection. It's not a big security issue but it seems inconsistent as this is the only template in the source code to do so.

I am also not sure why this would be desired in an email template or at all by default for that matter. If someone knows or has a valid usecase for this, please let me know.

For reference:
https://github.com/django/django/blob/59f475470494ce5b8cbff816b1e5dafcbd10a3a3/django/contrib/admin/templates/registration/password_reset_email.html#L1C11-L1C11

Change History (3)

comment:1 by Yi Ming Yung, 16 months ago

Owner: changed from nobody to Yi Ming Yung
Triage Stage: UnreviewedReady for checkin

comment:2 by Natalia Bidart, 16 months ago

Keywords: autoescape password_reset template removed
Resolution: needsinfo
Status: assignedclosed
Triage Stage: Ready for checkinUnreviewed

Hello Yi Ming Yung,

The template you mentioned is used by the internal system and all the variables sent in the context are under the control of the django auth app, and not by the user. The only external input is the email address to use to send the password reset email, and that email is not passed to the template, and also is ignored if it does not match a user in the system.

If you have managed to indeed generate an html injection, please do not post details in this ticket and send those to the security email instead.

Also, please read the guidelines for ticket triage stages, the person submitting a patch should not mark their own tickets as Ready for checkin.

Thank you!

comment:3 by Natalia Bidart, 16 months ago

Resolution: needsinfoinvalid

Changing status to invalid after a email threan in the security mailing list.

Note: See TracTickets for help on using tickets.
Back to Top