id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36436	Sensitive signer.key exposed via Django messages framework in templates	Sarah Boyce	Sachi Jain	"The following was reported by Fredrick Peters to the Django security team.

We’ve reviewed the issue and concluded that it can be publicly tracked as a hardening measure, as it assumes the attacker already has the ability to write Django templates. There is already a documented warning against untrusted template authors in the Django template documentation: https://docs.djangoproject.com/en/5.2/topics/templates/#module-django.template

> The template system isn’t safe against untrusted template authors. For example, a site shouldn’t allow its users to provide their own templates, since template authors can do things like perform XSS attacks and access properties of template variables that may contain sensitive information.

The specific issue is that when `django.contrib.messages` is in `INSTALLED_APPS` and the default message storage is used (`CookieStorage`), a template author can access:

{{{
{{ messages.storages.0.signer.key }}
}}}

This exposes the signer key used internally to sign messages, which is ultimately derived from Django’s `SECRET_KEY`. This is possible because `CookieStorage` assigns the signer as a public attribute:

{{{#!python
def __init__(self, *args, **kwargs):
    super().__init__(*args, **kwargs)
    self.signer = signing.get_cookie_signer(salt=self.key_salt)
}}}

It might still be beneficial to change `self.signer` to a private attribute (e.g., `self._signer`) or otherwise shield direct access to sensitive internals via the template context.

This isn’t a security vulnerability but qualifies as a useful hardening change to prevent accidental exposure by users who may not fully understand the risks of template authoring."	Cleanup/optimization	assigned	contrib.messages	5.1	Normal			Adam Johnson Jake Howard	Accepted	1	0	0	0	0	0