[4.0.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag.

MarkusH · adamchainz · felixxm · commit 01422046065d · 2022-02-01T07:43:45.000+01:00
Thanks Keryn Knight for the report. Backport of 394517f from main. Co-authored-by: Adam Johnson <me@adamj.eu>
diff --git a/django/template/defaulttags.py b/django/template/defaulttags.py
@@ -8,7 +8,7 @@
 
 from django.conf import settings
 from django.utils import timezone
-from django.utils.html import conditional_escape, format_html
+from django.utils.html import conditional_escape, escape, format_html
 from django.utils.lorem_ipsum import paragraphs, words
 from django.utils.safestring import mark_safe
 
@@ -99,10 +99,13 @@ def reset(self, context):
 
 class DebugNode(Node):
     def render(self, context):
+        if not settings.DEBUG:
+            return ''
+
         from pprint import pformat
-        output = [pformat(val) for val in context]
+        output = [escape(pformat(val)) for val in context]
         output.append('\n\n')
-        output.append(pformat(sys.modules))
+        output.append(escape(pformat(sys.modules)))
         return ''.join(output)
 
 
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
@@ -194,7 +194,13 @@ from its first value when it's next encountered.
 ---------
 
 Outputs a whole load of debugging information, including the current context
-and imported modules.
+and imported modules. ``{% debug %}`` outputs nothing when the :setting:`DEBUG`
+setting is ``False``.
+
+.. versionchanged:: 2.2.27
+
+    In older versions, debugging information was displayed when the
+    :setting:`DEBUG` setting was ``False``.
 
 .. templatetag:: extends
 
diff --git a/docs/releases/2.2.27.txt b/docs/releases/2.2.27.txt
@@ -6,4 +6,12 @@ Django 2.2.27 release notes
 
 Django 2.2.27 fixes two security issues with severity "medium" in 2.2.26.
 
-...
+CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
+=============================================================
+
+The ``{% debug %}`` template tag didn't properly encode the current context,
+posing an XSS attack vector.
+
+In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
+information when the ``DEBUG`` setting is ``False``, and it ensures all context
+variables are correctly escaped when the ``DEBUG`` setting is ``True``.
diff --git a/docs/releases/3.2.12.txt b/docs/releases/3.2.12.txt
@@ -6,4 +6,12 @@ Django 3.2.12 release notes
 
 Django 3.2.12 fixes two security issues with severity "medium" in 3.2.11.
 
-...
+CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
+=============================================================
+
+The ``{% debug %}`` template tag didn't properly encode the current context,
+posing an XSS attack vector.
+
+In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
+information when the ``DEBUG`` setting is ``False``, and it ensures all context
+variables are correctly escaped when the ``DEBUG`` setting is ``True``.
diff --git a/docs/releases/4.0.2.txt b/docs/releases/4.0.2.txt
@@ -8,6 +8,16 @@ Django 4.0.2 fixes two security issues with severity "medium" and several bugs
 in 4.0.1. Also, the latest string translations from Transifex are incorporated,
 with a special mention for Bulgarian (fully translated).
 
+CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
+=============================================================
+
+The ``{% debug %}`` template tag didn't properly encode the current context,
+posing an XSS attack vector.
+
+In order to avoid this vulnerability, ``{% debug %}`` no longer outputs an
+information when the ``DEBUG`` setting is ``False``, and it ensures all context
+variables are correctly escaped when the ``DEBUG`` setting is ``True``.
+
 Bugfixes
 ========
 
diff --git a/tests/template_tests/syntax_tests/test_debug.py b/tests/template_tests/syntax_tests/test_debug.py
@@ -0,0 +1,46 @@
+from django.contrib.auth.models import Group
+from django.test import SimpleTestCase, override_settings
+
+from ..utils import setup
+
+
+@override_settings(DEBUG=True)
+class DebugTests(SimpleTestCase):
+
+    @override_settings(DEBUG=False)
+    @setup({'non_debug': '{% debug %}'})
+    def test_non_debug(self):
+        output = self.engine.render_to_string('non_debug', {})
+        self.assertEqual(output, '')
+
+    @setup({'modules': '{% debug %}'})
+    def test_modules(self):
+        output = self.engine.render_to_string('modules', {})
+        self.assertIn(
+            '&#x27;django&#x27;: &lt;module &#x27;django&#x27; ',
+            output,
+        )
+
+    @setup({'plain': '{% debug %}'})
+    def test_plain(self):
+        output = self.engine.render_to_string('plain', {'a': 1})
+        self.assertTrue(output.startswith(
+            '{&#x27;a&#x27;: 1}'
+            '{&#x27;False&#x27;: False, &#x27;None&#x27;: None, '
+            '&#x27;True&#x27;: True}\n\n{'
+        ))
+
+    @setup({'non_ascii': '{% debug %}'})
+    def test_non_ascii(self):
+        group = Group(name="清風")
+        output = self.engine.render_to_string('non_ascii', {'group': group})
+        self.assertTrue(output.startswith(
+            '{&#x27;group&#x27;: &lt;Group: 清風&gt;}'
+        ))
+
+    @setup({'script': '{% debug %}'})
+    def test_script(self):
+        output = self.engine.render_to_string('script', {'frag': '<script>'})
+        self.assertTrue(output.startswith(
+            '{&#x27;frag&#x27;: &#x27;&lt;script&gt;&#x27;}'
+        ))
diff --git a/tests/template_tests/tests.py b/tests/template_tests/tests.py
@@ -1,6 +1,5 @@
 import sys
 
-from django.contrib.auth.models import Group
 from django.template import (
     Context, Engine, TemplateDoesNotExist, TemplateSyntaxError,
 )
@@ -163,15 +162,6 @@ def test_super_errors(self):
         with self.assertRaises(NoReverseMatch):
             t.render(Context())
 
-    def test_debug_tag_non_ascii(self):
-        """
-        #23060 -- Test non-ASCII model representation in debug output.
-        """
-        group = Group(name="清風")
-        c1 = Context({"objs": [group]})
-        t1 = self._engine().from_string('{% debug %}')
-        self.assertIn("清風", t1.render(c1))
-
     def test_extends_generic_template(self):
         """
         #24338 -- Allow extending django.template.backends.django.Template
