[Django] #34770: Default autoescape off in password_reset_email.html
Django
-------------------------------------+-------------------------------------
Reporter: Yi Ming | Owner: nobody
Yung |
Type: Bug | Status: assigned
Component: | Version: 4.2
contrib.auth | Keywords: autoescape
Severity: Normal | password_reset template
Triage Stage: | Has patch: 1
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
In the source code, the contents of password_reset_email.html has {%
autoescape off %} by default. This causes none of the variables being put
into the template to be escaped properly. This can lead to some simple
html injection. It's not a big security issue but it seems inconsistent as
this is the only template in the source code to do so.
I am also not sure why this would be desired in an email template or at
all by default for that matter. If someone knows or has a valid usecase
for this, please let me know.
--
Ticket URL: <https://code.djangoproject.com/ticket/34770>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------------+-------------------------------------
| Yung
Type: Bug | Status: assigned
Severity: Normal | Resolution:
Keywords: autoescape | Triage Stage: Ready for
password_reset template | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* owner: nobody => Yi Ming Yung
* stage: Unreviewed => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/34770#comment:1>
Django
Reporter: Yi Ming Yung | Owner: Yi Ming Yung
Component: contrib.auth | Version: 4.2
Severity: Normal | Resolution: needsinfo
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Natalia Bidart):
* keywords: autoescape password_reset template =>
* status: assigned => closed
* resolution: => needsinfo
* stage: Ready for checkin => Unreviewed
Comment:
Hello Yi Ming Yung,
The template you mentioned is used by the internal system and all the
variables sent in the context are
[https://github.com/django/django/blob/59f475470494ce5b8cbff816b1e5dafcbd10a3a3/django/contrib/auth/forms.py#L356
under the control of the django auth app], and not by the user. The only
external input is the email address to use to send the password reset
email, and that email is not passed to the template, and also is ignored
if it does not match a user in the system.
If you have managed to indeed generate an html injection, please do not
post details in this ticket and
[https://docs.djangoproject.com/en/dev/internals/security/ send those to
the security email instead].
Also, please read the
[https://docs.djangoproject.com/en/4.2/internals/contributing/triaging-
tickets/#ready-for-checkin guidelines for ticket triage stages], the
person submitting a patch should not mark their own tickets as `Ready for
checkin`.
Thank you!
--
Ticket URL: <https://code.djangoproject.com/ticket/34770#comment:2>
Django
------------------------------+----------------------------------------
Reporter: Yi Ming Yung | Owner: Yi Ming Yung
Type: Bug | Status: closed
Component: contrib.auth | Version: 4.2
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+----------------------------------------
Changes (by Natalia Bidart):
* resolution: needsinfo => invalid
Comment:
Changing status to invalid after a email threan in the security mailing
list.
--
Ticket URL: <https://code.djangoproject.com/ticket/34770#comment:3>