Changes between Initial Version and Version 7 of Ticket #34581


Ignore:
Timestamp:
Oct 1, 2023, 6:30:18 AM (15 months ago)
Author:
Shai Berger
Comment:

Replying to omerimzali:

"I suggest a general rule: A filter which gets unsafe input, should not escape it, and yet needs to produce safe output, should error out. This is a hardening, not a security fix, so it should follow a normal deprecation cycle: The actual change should only happen after the next LTS release."

A filter which gets unsafe input should not escape it. I totally agree but do we mean it only when autoescape off? {% autoescape off %}

I guess this phrasing was unclear, and I changed it in hope it is clearer now: The "should not change it" part is not part of "how a filter should generally behave", but a further condition. A filter for which all three conditions are true, should error out. "autoescape off" means that filters, generally, should not escape the input.

How should I check "All filters which can get unsafe input". I know Django at least has 4 of them below. What's the right way to find others? Should this patch contains all of them.

join
linenumbers,
linebreaks,
linebreaksbr,

All filters can get unsafe input. Whether the filter actually got safe or unsafe input is only decided at runtime, and cannot be known in advance. The interesting question is, "does the filter need to produce safe output", and this changes from filter to filter: The last three you listed always need to produce safe output, because they need to include HTML to break lines; but for some filters, like join, this too is only decided at runtime -- join needs to produce safe output if (and only if) any of its inputs (the list members and the joiner) are safe. I can't think of any way to find which filters are relevant (and when), except to go over them one by one.

I hope this clarifies the issue.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #34581

    • Property Owner changed from nobody to omerimzali
    • Property Status newassigned
    • Property Triage Stage UnreviewedAccepted
  • Ticket #34581 – Description

    initial v7  
    1515But when autoescaping is off, inputs are not escaped -- however, the output, which usually includes their content verbatim, is still marked safe.
    1616
    17 I suggest a general rule: A filter which gets unsafe input, should not escape it, and yet needs to produce safe output, should error out. This is a hardening, not a security fix, so it should follow a normal deprecation cycle: The actual change should only happen after the next LTS release.
     17I suggest a general rule: A filter which fulfills these three conditions, should error out:
     18- it needs to produce safe output
     19- some of its input is unsafe,
     20- the context is such that it should not escape the input
     21
     22This is a hardening, not a security fix, so it should follow a normal deprecation cycle: The actual change should only happen after the next LTS release.
    1823
    1924This would affect many filters, and is backwards-incompatible, but I think it would make the escaping more consistent and predictable, and it would make Django more safe-by-default for some less-common use-cases.
Back to Top