Django 2.2.28 documentation

Home | Table of contents | Index | Modules

« previous | up | next »

Django 1.7.11 release notes¶

November 24, 2015

Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10.

Fixed settings leak possibility in `date` template filter¶

If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application’s settings by specifying a settings key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".

To remedy this, the underlying function used by the date template filter, django.utils.formats.get_format(), now only allows accessing the date/time formatting settings.

Bugfixes¶

Fixed a data loss possibility with Prefetch if to_attr is set to a ManyToManyField (#25693).

« previous | up | next »

Django 2.2.28 documentation

Django 1.7.11 release notes¶

Fixed settings leak possibility in `date` template filter¶

Bugfixes¶

Table of Contents

Previous topic

Next topic

This Page

Last update:

Django 2.2.28 documentation

Django 1.7.11 release notes¶

Fixed settings leak possibility in date template filter¶

Bugfixes¶

Last update:

Fixed settings leak possibility in `date` template filter¶