Opened 3 months ago

Last modified 3 months ago

#36436 assigned Cleanup/optimization

Sensitive signer.key exposed via Django messages framework in templates

Reported by: Sarah Boyce Owned by: SOHAIL AHMAD
Component: contrib.messages Version: 5.1
Severity: Normal Keywords:
Cc: Adam Johnson, Jake Howard Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The following was reported by Fredrick Peters to the Django security team.

We’ve reviewed the issue and concluded that it can be publicly tracked as a hardening measure, as it assumes the attacker already has the ability to write Django templates. There is already a documented warning against untrusted template authors in the Django template documentation: https://docs.djangoproject.com/en/5.2/topics/templates/#module-django.template

The template system isn’t safe against untrusted template authors. For example, a site shouldn’t allow its users to provide their own templates, since template authors can do things like perform XSS attacks and access properties of template variables that may contain sensitive information.

The specific issue is that when django.contrib.messages is in INSTALLED_APPS and the default message storage is used (CookieStorage), a template author can access:

{{ messages.storages.0.signer.key }}

This exposes the signer key used internally to sign messages, which is ultimately derived from Django’s SECRET_KEY. This is possible because CookieStorage assigns the signer as a public attribute:

def __init__(self, *args, **kwargs):
    super().__init__(*args, **kwargs)
    self.signer = signing.get_cookie_signer(salt=self.key_salt)

It might still be beneficial to change self.signer to a private attribute (e.g., self._signer) or otherwise shield direct access to sensitive internals via the template context.

This isn’t a security vulnerability but qualifies as a useful hardening change to prevent accidental exposure by users who may not fully understand the risks of template authoring.

Change History (4)

comment:1 by David Sanders, 3 months ago

Triage Stage: UnreviewedAccepted

comment:2 by Adam Johnson, 3 months ago

Cc: Adam Johnson added

comment:3 by Jake Howard, 3 months ago

Cc: Jake Howard added

comment:4 by SOHAIL AHMAD, 3 months ago

Owner: set to SOHAIL AHMAD
Status: newassigned
Note: See TracTickets for help on using tickets.
Back to Top