[Django] #37174: Template fragment cache key collision for vary_on values containing ":"
4 views
Skip to first unread message
Django
Jun 16, 2026, 11:58:22 AM (3 days ago) Jun 16
to django-...@googlegroups.com
#37174: Template fragment cache key collision for vary_on values containing ":"
------------------------------+-------------------------------------------
Reporter: Jacob Walls | Type: Bug
Status: new | Component: Template system
Version: 6.0 | Severity: Normal
Keywords: not-security | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+-------------------------------------------
The [https://docs.djangoproject.com/en/6.0/topics/cache/#template-
fragment-caching documented example] for template fragment caching
demonstrates using `request.user.username` as a `vary_on` argument. If
that username contained `:`, and another `vary_on` argument was present,
then two cache keys might collide, and the wrong content could be served.
See this PoC provided to the Security Team:
{{{#!py
from django.core.cache.utils import make_template_fragment_key
a = make_template_fragment_key("frag", ["alice", "b:c"])
b = make_template_fragment_key("frag", ["alice:b", "c"])
assert a == b # same key
}}}
We decided against accepting this as a security issue given the
unlikelihood of colons in the data most important to vary on from a
security perspective, e.g. usernames in a ''username'' + ''language code''
vary_on pair, but there is a correctness issue to fix here.
One fix strategy would involve incorporating the lengths of the arguments
into the cache key.
Since this will cause cache busting, we should probably document in the
release note something similar to the note from
5cb3ed187b283059589cb442c56a66a795800cac.
--
Ticket URL: <https://code.djangoproject.com/ticket/37174>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
------------------------------+-------------------------------------------
Reporter: Jacob Walls | Type: Bug
Status: new | Component: Template system
Version: 6.0 | Severity: Normal
Keywords: not-security | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+-------------------------------------------
The [https://docs.djangoproject.com/en/6.0/topics/cache/#template-
fragment-caching documented example] for template fragment caching
demonstrates using `request.user.username` as a `vary_on` argument. If
that username contained `:`, and another `vary_on` argument was present,
then two cache keys might collide, and the wrong content could be served.
See this PoC provided to the Security Team:
{{{#!py
from django.core.cache.utils import make_template_fragment_key
a = make_template_fragment_key("frag", ["alice", "b:c"])
b = make_template_fragment_key("frag", ["alice:b", "c"])
assert a == b # same key
}}}
We decided against accepting this as a security issue given the
unlikelihood of colons in the data most important to vary on from a
security perspective, e.g. usernames in a ''username'' + ''language code''
vary_on pair, but there is a correctness issue to fix here.
One fix strategy would involve incorporating the lengths of the arguments
into the cache key.
Since this will cause cache busting, we should probably document in the
release note something similar to the note from
5cb3ed187b283059589cb442c56a66a795800cac.
--
Ticket URL: <https://code.djangoproject.com/ticket/37174>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Jun 16, 2026, 12:50:34 PM (3 days ago) Jun 16
to django-...@googlegroups.com
#37174: Template fragment cache key collision for vary_on values containing ":"
---------------------------------+------------------------------------
Reporter: Jacob Walls | Owner: (none)
Type: Bug | Status: new
Component: Template system | Version: 6.0
Severity: Normal | Resolution:
Component: Template system | Version: 6.0
Keywords: not-security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+------------------------------------
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Natalia Bidart):
* stage: Unreviewed => Accepted
Comment:
Thanks!
--
Ticket URL: <https://code.djangoproject.com/ticket/37174#comment:1>
Django
Jun 16, 2026, 9:49:16 PM (3 days ago) Jun 16
to django-...@googlegroups.com
#37174: Template fragment cache key collision for vary_on values containing ":"
---------------------------------+------------------------------------
Reporter: Jacob Walls | Owner: Amar
---------------------------------+------------------------------------
Type: Bug | Status: assigned
Component: Template system | Version: 6.0
Severity: Normal | Resolution:
Keywords: not-security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+------------------------------------
Changes (by Amar):
Severity: Normal | Resolution:
Keywords: not-security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+------------------------------------
* owner: (none) => Amar
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/37174#comment:2>
Django
Jun 18, 2026, 1:44:53 PM (yesterday) Jun 18
to django-...@googlegroups.com
#37174: Template fragment cache key collision for vary_on values containing ":"
---------------------------------+---------------------------------------
Reporter: Jacob Walls | Owner: Jacob Walls
Type: Bug | Status: assigned
Component: Template system | Version: 6.0
Severity: Normal | Resolution:
Keywords: not-security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------
Component: Template system | Version: 6.0
Severity: Normal | Resolution:
Keywords: not-security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Jacob Walls):
* owner: Amar => Jacob Walls
Comment:
Amar, this one is almost identical to #37101, so if you don't mind, I'm
going to fix them both in the same PR to aid review.
--
Ticket URL: <https://code.djangoproject.com/ticket/37174#comment:3>
Django
Jun 18, 2026, 1:53:03 PM (yesterday) Jun 18
to django-...@googlegroups.com
#37174: Template fragment cache key collision for vary_on values containing ":"
---------------------------------+---------------------------------------
Reporter: Jacob Walls | Owner: Jacob Walls
Type: Bug | Status: assigned
Component: Template system | Version: 6.0
Severity: Normal | Resolution:
Keywords: not-security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------
Comment (by Amar):
---------------------------------+---------------------------------------
Reporter: Jacob Walls | Owner: Jacob Walls
Type: Bug | Status: assigned
Component: Template system | Version: 6.0
Severity: Normal | Resolution:
Keywords: not-security | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------
No worries at all, Jacob! You are welcome to take it. A combined PR makes
perfect sense here.
--
Ticket URL: <https://code.djangoproject.com/ticket/37174#comment:4>
Django
Jun 18, 2026, 2:50:54 PM (yesterday) Jun 18
to django-...@googlegroups.com
#37174: Template fragment cache key collision for vary_on values containing ":"
---------------------------------+---------------------------------------
Reporter: Jacob Walls | Owner: Jacob Walls
Type: Bug | Status: assigned
Component: Template system | Version: 6.0
Severity: Normal | Resolution:
Keywords: not-security | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
---------------------------------+---------------------------------------
Reporter: Jacob Walls | Owner: Jacob Walls
Type: Bug | Status: assigned
Component: Template system | Version: 6.0
Severity: Normal | Resolution:
Keywords: not-security | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------
Changes (by Jacob Walls):
Easy pickings: 0 | UI/UX: 0
---------------------------------+---------------------------------------
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/21516 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/37174#comment:5>
Reply all
Reply to author
Forward
0 new messages