Opened 38 minutes ago
#37174 new Bug
Template fragment cache key collision for vary_on values containing ":"
| Reported by: | Jacob Walls | Owned by: | |
|---|---|---|---|
| Component: | Template system | Version: | 6.0 |
| Severity: | Normal | Keywords: | not-security |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The documented example for template fragment caching demonstrates using request.user.username as a vary_on argument. If that username contained :, and another vary_on argument was present, then two cache keys might collide, and the wrong content could be served.
See this PoC provided to the Security Team:
from django.core.cache.utils import make_template_fragment_key a = make_template_fragment_key("frag", ["alice", "b:c"]) b = make_template_fragment_key("frag", ["alice:b", "c"]) assert a == b # same key
We decided against accepting this as a security issue given the unlikelihood of colons in the data most important to vary on from a security perspective, e.g. usernames in a username + language code vary_on pair, but there is a correctness issue to fix here.
One fix strategy would involve incorporating the lengths of the arguments into the cache key.
Since this will cause cache busting, we should probably document in the release note something similar to the note from 5cb3ed187b283059589cb442c56a66a795800cac.