#34770 closed Bug (invalid)
Default autoescape off in password_reset_email.html
Reported by: | Yi Ming Yung | Owned by: | Yi Ming Yung |
---|---|---|---|
Component: | contrib.auth | Version: | 4.2 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
In the source code, the contents of password_reset_email.html has {% autoescape off %} by default. This causes none of the variables being put into the template to be escaped properly. This can lead to some simple html injection. It's not a big security issue but it seems inconsistent as this is the only template in the source code to do so.
I am also not sure why this would be desired in an email template or at all by default for that matter. If someone knows or has a valid usecase for this, please let me know.
Change History (3)
comment:1 by , 17 months ago
Owner: | changed from | to
---|---|
Triage Stage: | Unreviewed → Ready for checkin |
comment:2 by , 17 months ago
Keywords: | autoescape password_reset template removed |
---|---|
Resolution: | → needsinfo |
Status: | assigned → closed |
Triage Stage: | Ready for checkin → Unreviewed |
comment:3 by , 17 months ago
Resolution: | needsinfo → invalid |
---|
Changing status to invalid after a email threan in the security mailing list.
Hello Yi Ming Yung,
The template you mentioned is used by the internal system and all the variables sent in the context are under the control of the django auth app, and not by the user. The only external input is the email address to use to send the password reset email, and that email is not passed to the template, and also is ignored if it does not match a user in the system.
If you have managed to indeed generate an html injection, please do not post details in this ticket and send those to the security email instead.
Also, please read the guidelines for ticket triage stages, the person submitting a patch should not mark their own tickets as
Ready for checkin
.Thank you!