November 24, 2015
Django 1.7.11 memperbaiki masalah kesalahan dan kesalahan kehilangan data di 1.7.10.
date
template filter¶If an application allows users to specify an unvalidated format for dates and
passes this format to the date
filter, e.g.
{{ last_updated|date:user_date_format }}
, then a malicious user could
obtain any secret in the application’s settings by specifying a settings key
instead of a date format. e.g. "SECRET_KEY"
instead of "j/m/Y"
.
To remedy this, the underlying function used by the date
template filter,
django.utils.formats.get_format()
, now only allows accessing the date/time
formatting settings.
Agt 01, 2016