docs/releases/1.6.11.2.txt

=============================
Django 1.6.11.2 release notes
=============================

*November 24, 2015*

Django 1.6.11.2 fixes one security issue. It corresponds to the
Django 1.7.11, 1.8.7, and 1.9 RC 2 releases.


Fixed settings leak possibility in ``date`` template filter
===========================================================

If an application allows users to specify an unvalidated format for dates and
passes this format to the :tfilter:`date` filter, e.g.
``{{ last_updated|date:user_date_format }}``, then a malicious user could
obtain any secret in the application's settings by specifying a settings key
instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.

To remedy this, the underlying function used by the ``date`` template filter,
``django.utils.formats.get_format()``, now only allows accessing the date/time
formatting settings.