[Django] #36436: Sensitive signer.key exposed via Django messages framework in templates
14 views
Skip to first unread message
Django
Jun 4, 2025, 3:08:06 AMJun 4
to django-...@googlegroups.com
#36436: Sensitive signer.key exposed via Django messages framework in templates
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Type:
| Cleanup/optimization
Status: new | Component:
| contrib.messages
Version: 5.1 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The following was reported by Fredrick Peters to the Django security team.
We’ve reviewed the issue and concluded that it can be publicly tracked as
a hardening measure, as it assumes the attacker already has the ability to
write Django templates. There is already a documented warning against
untrusted template authors in the Django template documentation:
https://docs.djangoproject.com/en/5.2/topics/templates/#module-
django.template
> The template system isn’t safe against untrusted template authors. For
example, a site shouldn’t allow its users to provide their own templates,
since template authors can do things like perform XSS attacks and access
properties of template variables that may contain sensitive information.
The specific issue is that when `django.contrib.messages` is in
`INSTALLED_APPS` and the default message storage is used
(`CookieStorage`), a template author can access:
{{{
{{ messages.storages.0.signer.key }}
}}}
This exposes the signer key used internally to sign messages, which is
ultimately derived from Django’s `SECRET_KEY`. This is possible because
`CookieStorage` assigns the signer as a public attribute:
{{{#!python
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self.signer = signing.get_cookie_signer(salt=self.key_salt)
}}}
It might still be beneficial to change `self.signer` to a private
attribute (e.g., `self._signer`) or otherwise shield direct access to
sensitive internals via the template context.
This isn’t a security vulnerability but qualifies as a useful hardening
change to prevent accidental exposure by users who may not fully
understand the risks of template authoring.
--
Ticket URL: <https://code.djangoproject.com/ticket/36436>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Type:
| Cleanup/optimization
Status: new | Component:
| contrib.messages
Version: 5.1 | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
The following was reported by Fredrick Peters to the Django security team.
We’ve reviewed the issue and concluded that it can be publicly tracked as
a hardening measure, as it assumes the attacker already has the ability to
write Django templates. There is already a documented warning against
untrusted template authors in the Django template documentation:
https://docs.djangoproject.com/en/5.2/topics/templates/#module-
django.template
> The template system isn’t safe against untrusted template authors. For
example, a site shouldn’t allow its users to provide their own templates,
since template authors can do things like perform XSS attacks and access
properties of template variables that may contain sensitive information.
The specific issue is that when `django.contrib.messages` is in
`INSTALLED_APPS` and the default message storage is used
(`CookieStorage`), a template author can access:
{{{
{{ messages.storages.0.signer.key }}
}}}
This exposes the signer key used internally to sign messages, which is
ultimately derived from Django’s `SECRET_KEY`. This is possible because
`CookieStorage` assigns the signer as a public attribute:
{{{#!python
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self.signer = signing.get_cookie_signer(salt=self.key_salt)
}}}
It might still be beneficial to change `self.signer` to a private
attribute (e.g., `self._signer`) or otherwise shield direct access to
sensitive internals via the template context.
This isn’t a security vulnerability but qualifies as a useful hardening
change to prevent accidental exposure by users who may not fully
understand the risks of template authoring.
--
Ticket URL: <https://code.djangoproject.com/ticket/36436>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Jun 4, 2025, 3:45:45 AMJun 4
to django-...@googlegroups.com
#36436: Sensitive signer.key exposed via Django messages framework in templates
--------------------------------------+------------------------------------
Reporter: Sarah Boyce | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: contrib.messages | Version: 5.1
Severity: Normal | Resolution:
Component: contrib.messages | Version: 5.1
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by David Sanders):
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/36436#comment:1>
Django
Jun 4, 2025, 4:38:35 AMJun 4
to django-...@googlegroups.com
#36436: Sensitive signer.key exposed via Django messages framework in templates
--------------------------------------+------------------------------------
Reporter: Sarah Boyce | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: contrib.messages | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Adam Johnson):
--------------------------------------+------------------------------------
Reporter: Sarah Boyce | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: contrib.messages | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
* cc: Adam Johnson (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/36436#comment:2>
Django
Jun 4, 2025, 5:24:39 AMJun 4
to django-...@googlegroups.com
#36436: Sensitive signer.key exposed via Django messages framework in templates
--------------------------------------+------------------------------------
Reporter: Sarah Boyce | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: contrib.messages | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Jake Howard):
--------------------------------------+------------------------------------
Reporter: Sarah Boyce | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: contrib.messages | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
* cc: Jake Howard (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/36436#comment:3>
Django
Jun 9, 2025, 6:02:38 AMJun 9
to django-...@googlegroups.com
#36436: Sensitive signer.key exposed via Django messages framework in templates
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: SOHAIL
Type: | AHMAD
Cleanup/optimization | Status: assigned
Component: contrib.messages | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by SOHAIL AHMAD):
* owner: (none) => SOHAIL AHMAD
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/36436#comment:4>
Django
Oct 14, 2025, 9:20:05 AM (3 days ago) Oct 14
to django-...@googlegroups.com
#36436: Sensitive signer.key exposed via Django messages framework in templates
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: SOHAIL
Type: | AHMAD
Cleanup/optimization | Status: assigned
Component: contrib.messages | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
-------------------------------------+-------------------------------------
Reporter: Sarah Boyce | Owner: SOHAIL
Type: | AHMAD
Cleanup/optimization | Status: assigned
Component: contrib.messages | Version: 5.1
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Jacob Walls):
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/19545 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/36436#comment:5>
Reply all
Reply to author
Forward
0 new messages