#33986: Code formatters should be looked up before template rendering in
startapp/startproject
-------------------------------------+-------------------------------------
Reporter: Shai Berger | Owner: Shai
Type: | Berger
Cleanup/optimization | Status: closed
Component: Core (Management | Version: dev
commands) |
Severity: Normal | Resolution: fixed
Keywords: hardening | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Carlton Gibson <carlton@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"42cd8c390d5f165fd7f6bbdffafd2aa4c2d9a32a" 42cd8c3]:
{{{
#!CommitTicketReference repository=""
revision="42cd8c390d5f165fd7f6bbdffafd2aa4c2d9a32a"
Fixed #33986 -- Hardened binary lookup in template commands.
Made template commands look up formatters before writing files.
This makes sure files included in the template are not identified
as executable formatter commands, even in case the template is
rendered into the system path (as might easily happen on Windows,
where the current directory is on the system path by default).
While at it, Warned about trusting custom templates for
startapp/startproject.
Thanks Trung Pham of Viettel Cyber Security for reporting the issue,
Django Security Team for discussions, and Adam Johnson and
Carlton Gibson for reviews.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/33986#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018317361aa0-70eaa968-e128-4839-9c33-cc64f1d9e794-000000%40eu-central-1.amazonses.com.
