Opened 3 months ago
Last modified 3 months ago
#36436 assigned Cleanup/optimization
Sensitive signer.key exposed via Django messages framework in templates
Reported by: | Sarah Boyce | Owned by: | SOHAIL AHMAD |
---|---|---|---|
Component: | contrib.messages | Version: | 5.1 |
Severity: | Normal | Keywords: | |
Cc: | Adam Johnson, Jake Howard | Triage Stage: | Accepted |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The following was reported by Fredrick Peters to the Django security team.
We’ve reviewed the issue and concluded that it can be publicly tracked as a hardening measure, as it assumes the attacker already has the ability to write Django templates. There is already a documented warning against untrusted template authors in the Django template documentation: https://docs.djangoproject.com/en/5.2/topics/templates/#module-django.template
The template system isn’t safe against untrusted template authors. For example, a site shouldn’t allow its users to provide their own templates, since template authors can do things like perform XSS attacks and access properties of template variables that may contain sensitive information.
The specific issue is that when django.contrib.messages
is in INSTALLED_APPS
and the default message storage is used (CookieStorage
), a template author can access:
{{ messages.storages.0.signer.key }}
This exposes the signer key used internally to sign messages, which is ultimately derived from Django’s SECRET_KEY
. This is possible because CookieStorage
assigns the signer as a public attribute:
def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.signer = signing.get_cookie_signer(salt=self.key_salt)
It might still be beneficial to change self.signer
to a private attribute (e.g., self._signer
) or otherwise shield direct access to sensitive internals via the template context.
This isn’t a security vulnerability but qualifies as a useful hardening change to prevent accidental exposure by users who may not fully understand the risks of template authoring.
Change History (4)
comment:1 by , 3 months ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 3 months ago
Cc: | added |
---|
comment:3 by , 3 months ago
Cc: | added |
---|
comment:4 by , 3 months ago
Owner: | set to |
---|---|
Status: | new → assigned |