Moderate severityNVD Advisory· Published Dec 7, 2015· Updated May 6, 2026

CVE-2015-8213

Description

The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
DjangoPyPI	>= 1.7, < 1.7.11	1.7.11
DjangoPyPI	>= 1.8a1, < 1.8.7	1.8.7
DjangoPyPI	>= 1.9a1, < 1.9rc2	1.9rc2

Affected products

Djangoproject/Django9 versions
cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:djangoproject:django:*:*:*:*:*:*:*:*range: <=1.7.10
- cpe:2.3:a:djangoproject:django:1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:djangoproject:django:1.9.0:rc1:*:*:*:*:*:*

Patches

316bc3fc9437

Fixed a settings leak possibility in the date template filter.

https://github.com/django/djangoFlorian ApollonerNov 11, 2015via ghsa

commit

4 files changed · +51 −2

django/utils/formats.py+20 −0 modified

@@ -30,6 +30,24 @@
 }
 
 
+FORMAT_SETTINGS = frozenset([
+    'DECIMAL_SEPARATOR',
+    'THOUSAND_SEPARATOR',
+    'NUMBER_GROUPING',
+    'FIRST_DAY_OF_WEEK',
+    'MONTH_DAY_FORMAT',
+    'TIME_FORMAT',
+    'DATE_FORMAT',
+    'DATETIME_FORMAT',
+    'SHORT_DATE_FORMAT',
+    'SHORT_DATETIME_FORMAT',
+    'YEAR_MONTH_FORMAT',
+    'DATE_INPUT_FORMATS',
+    'TIME_INPUT_FORMATS',
+    'DATETIME_INPUT_FORMATS',
+])
+
+
 def reset_format_cache():
     """Clear any cached formats.
 
@@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None):
     be localized (or not), overriding the value of settings.USE_L10N.
     """
     format_type = force_str(format_type)
+    if format_type not in FORMAT_SETTINGS:
+        return format_type
     if use_l10n or (use_l10n is None and settings.USE_L10N):
         if lang is None:
             lang = get_language()

docs/releases/1.7.11.txt+14 −1 modified

@@ -4,7 +4,20 @@ Django 1.7.11 release notes
 
 *Under development*
 
-Django 1.7.11 fixes a data loss bug in 1.7.10.
+Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10.
+
+Fixed settings leak possibility in ``date`` template filter
+===========================================================
+
+If an application allows users to specify an unvalidated format for dates and
+passes this format to the :tfilter:`date` filter, e.g.
+``{{ last_updated|date:user_date_format }}``, then a malicious user could
+obtain any secret in the application's settings by specifying a settings key
+instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
+
+To remedy this, the underlying function used by the ``date`` template filter,
+``django.utils.formats.get_format()``, now only allows accessing the date/time
+formatting settings.
 
 Bugfixes
 ========

docs/releases/1.8.7.txt+14 −1 modified

@@ -4,11 +4,24 @@ Django 1.8.7 release notes
 
 *Under development*
 
-Django 1.8.7 fixes several bugs in 1.8.6.
+Django 1.8.7 fixes a security issue and several bugs in 1.8.6.
 
 Additionally, Django's vendored version of six, :mod:`django.utils.six`, has
 been upgraded to the latest release (1.10.0).
 
+Fixed settings leak possibility in ``date`` template filter
+===========================================================
+
+If an application allows users to specify an unvalidated format for dates and
+passes this format to the :tfilter:`date` filter, e.g.
+``{{ last_updated|date:user_date_format }}``, then a malicious user could
+obtain any secret in the application's settings by specifying a settings key
+instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
+
+To remedy this, the underlying function used by the ``date`` template filter,
+``django.utils.formats.get_format()``, now only allows accessing the date/time
+formatting settings.
+
 Bugfixes
 ========

tests/i18n/tests.py+3 −0 modified

@@ -1249,6 +1249,9 @@ def test_localized_as_text_as_hidden_input(self):
                 '<input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />'
             )
 
+    def test_format_arbitrary_settings(self):
+        self.assertEqual(get_format('DEBUG'), 'DEBUG')
+
 
 class MiscTests(SimpleTestCase):

3ebbda0aef9e

[1.9.x] Fixed a settings leak possibility in the date template filter.

https://github.com/django/djangoFlorian ApollonerNov 11, 2015via ghsa

commit

4 files changed · +51 −2

django/utils/formats.py+20 −0 modified

@@ -30,6 +30,24 @@
 }
 
 
+FORMAT_SETTINGS = frozenset([
+    'DECIMAL_SEPARATOR',
+    'THOUSAND_SEPARATOR',
+    'NUMBER_GROUPING',
+    'FIRST_DAY_OF_WEEK',
+    'MONTH_DAY_FORMAT',
+    'TIME_FORMAT',
+    'DATE_FORMAT',
+    'DATETIME_FORMAT',
+    'SHORT_DATE_FORMAT',
+    'SHORT_DATETIME_FORMAT',
+    'YEAR_MONTH_FORMAT',
+    'DATE_INPUT_FORMATS',
+    'TIME_INPUT_FORMATS',
+    'DATETIME_INPUT_FORMATS',
+])
+
+
 def reset_format_cache():
     """Clear any cached formats.
 
@@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None):
     be localized (or not), overriding the value of settings.USE_L10N.
     """
     format_type = force_str(format_type)
+    if format_type not in FORMAT_SETTINGS:
+        return format_type
     if use_l10n or (use_l10n is None and settings.USE_L10N):
         if lang is None:
             lang = get_language()

docs/releases/1.7.11.txt+14 −1 modified

@@ -4,7 +4,20 @@ Django 1.7.11 release notes
 
 *Under development*
 
-Django 1.7.11 fixes a data loss bug in 1.7.10.
+Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10.
+
+Fixed settings leak possibility in ``date`` template filter
+===========================================================
+
+If an application allows users to specify an unvalidated format for dates and
+passes this format to the :tfilter:`date` filter, e.g.
+``{{ last_updated|date:user_date_format }}``, then a malicious user could
+obtain any secret in the application's settings by specifying a settings key
+instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
+
+To remedy this, the underlying function used by the ``date`` template filter,
+``django.utils.formats.get_format()``, now only allows accessing the date/time
+formatting settings.
 
 Bugfixes
 ========

docs/releases/1.8.7.txt+14 −1 modified

@@ -4,11 +4,24 @@ Django 1.8.7 release notes
 
 *Under development*
 
-Django 1.8.7 fixes several bugs in 1.8.6.
+Django 1.8.7 fixes a security issue and several bugs in 1.8.6.
 
 Additionally, Django's vendored version of six, :mod:`django.utils.six`, has
 been upgraded to the latest release (1.10.0).
 
+Fixed settings leak possibility in ``date`` template filter
+===========================================================
+
+If an application allows users to specify an unvalidated format for dates and
+passes this format to the :tfilter:`date` filter, e.g.
+``{{ last_updated|date:user_date_format }}``, then a malicious user could
+obtain any secret in the application's settings by specifying a settings key
+instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
+
+To remedy this, the underlying function used by the ``date`` template filter,
+``django.utils.formats.get_format()``, now only allows accessing the date/time
+formatting settings.
+
 Bugfixes
 ========

tests/i18n/tests.py+3 −0 modified

@@ -1245,6 +1245,9 @@ def test_localized_as_text_as_hidden_input(self):
                 '<input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />'
             )
 
+    def test_format_arbitrary_settings(self):
+        self.assertEqual(get_format('DEBUG'), 'DEBUG')
+
 
 class MiscTests(SimpleTestCase):

8a01c6b53169

[1.7.x] Fixed a settings leak possibility in the date template filter.

https://github.com/django/djangoFlorian ApollonerNov 11, 2015via ghsa

commit

3 files changed · +37 −1

django/utils/formats.py+20 −0 modified

@@ -31,6 +31,24 @@
 }
 
 
+FORMAT_SETTINGS = frozenset([
+    'DECIMAL_SEPARATOR',
+    'THOUSAND_SEPARATOR',
+    'NUMBER_GROUPING',
+    'FIRST_DAY_OF_WEEK',
+    'MONTH_DAY_FORMAT',
+    'TIME_FORMAT',
+    'DATE_FORMAT',
+    'DATETIME_FORMAT',
+    'SHORT_DATE_FORMAT',
+    'SHORT_DATETIME_FORMAT',
+    'YEAR_MONTH_FORMAT',
+    'DATE_INPUT_FORMATS',
+    'TIME_INPUT_FORMATS',
+    'DATETIME_INPUT_FORMATS',
+])
+
+
 def reset_format_cache():
     """Clear any cached formats.
 
@@ -85,6 +103,8 @@ def get_format(format_type, lang=None, use_l10n=None):
     be localized (or not), overriding the value of settings.USE_L10N.
     """
     format_type = force_str(format_type)
+    if format_type not in FORMAT_SETTINGS:
+        return format_type
     if use_l10n or (use_l10n is None and settings.USE_L10N):
         if lang is None:
             lang = get_language()

docs/releases/1.7.11.txt+14 −1 modified

@@ -4,7 +4,20 @@ Django 1.7.11 release notes
 
 *Under development*
 
-Django 1.7.11 fixes a data loss bug in 1.7.10.
+Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10.
+
+Fixed settings leak possibility in ``date`` template filter
+===========================================================
+
+If an application allows users to specify an unvalidated format for dates and
+passes this format to the :tfilter:`date` filter, e.g.
+``{{ last_updated|date:user_date_format }}``, then a malicious user could
+obtain any secret in the application's settings by specifying a settings key
+instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
+
+To remedy this, the underlying function used by the ``date`` template filter,
+``django.utils.formats.get_format()``, now only allows accessing the date/time
+formatting settings.
 
 Bugfixes
 ========

tests/i18n/tests.py+3 −0 modified

@@ -828,6 +828,9 @@ def test_localized_as_text_as_hidden_input(self):
                 '<input id="id_date_added" name="date_added" type="hidden" value="31.12.2009 06:00:00" />; <input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />'
             )
 
+    def test_format_arbitrary_settings(self):
+        self.assertEqual(get_format('DEBUG'), 'DEBUG')
+
 
 class MiscTests(TestCase):

9f83fc2f66f5

[1.8.x] Fixed a settings leak possibility in the date template filter.

https://github.com/django/djangoFlorian ApollonerNov 11, 2015via ghsa

commit

4 files changed · +51 −2

django/utils/formats.py+20 −0 modified

@@ -33,6 +33,24 @@
 }
 
 
+FORMAT_SETTINGS = frozenset([
+    'DECIMAL_SEPARATOR',
+    'THOUSAND_SEPARATOR',
+    'NUMBER_GROUPING',
+    'FIRST_DAY_OF_WEEK',
+    'MONTH_DAY_FORMAT',
+    'TIME_FORMAT',
+    'DATE_FORMAT',
+    'DATETIME_FORMAT',
+    'SHORT_DATE_FORMAT',
+    'SHORT_DATETIME_FORMAT',
+    'YEAR_MONTH_FORMAT',
+    'DATE_INPUT_FORMATS',
+    'TIME_INPUT_FORMATS',
+    'DATETIME_INPUT_FORMATS',
+])
+
+
 def reset_format_cache():
     """Clear any cached formats.
 
@@ -95,6 +113,8 @@ def get_format(format_type, lang=None, use_l10n=None):
     be localized (or not), overriding the value of settings.USE_L10N.
     """
     format_type = force_str(format_type)
+    if format_type not in FORMAT_SETTINGS:
+        return format_type
     if use_l10n or (use_l10n is None and settings.USE_L10N):
         if lang is None:
             lang = get_language()

docs/releases/1.7.11.txt+14 −1 modified

@@ -4,7 +4,20 @@ Django 1.7.11 release notes
 
 *Under development*
 
-Django 1.7.11 fixes a data loss bug in 1.7.10.
+Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10.
+
+Fixed settings leak possibility in ``date`` template filter
+===========================================================
+
+If an application allows users to specify an unvalidated format for dates and
+passes this format to the :tfilter:`date` filter, e.g.
+``{{ last_updated|date:user_date_format }}``, then a malicious user could
+obtain any secret in the application's settings by specifying a settings key
+instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
+
+To remedy this, the underlying function used by the ``date`` template filter,
+``django.utils.formats.get_format()``, now only allows accessing the date/time
+formatting settings.
 
 Bugfixes
 ========

docs/releases/1.8.7.txt+14 −1 modified

@@ -4,11 +4,24 @@ Django 1.8.7 release notes
 
 *Under development*
 
-Django 1.8.7 fixes several bugs in 1.8.6.
+Django 1.8.7 fixes a security issue and several bugs in 1.8.6.
 
 Additionally, Django's vendored version of six, :mod:`django.utils.six`, has
 been upgraded to the latest release (1.10.0).
 
+Fixed settings leak possibility in ``date`` template filter
+===========================================================
+
+If an application allows users to specify an unvalidated format for dates and
+passes this format to the :tfilter:`date` filter, e.g.
+``{{ last_updated|date:user_date_format }}``, then a malicious user could
+obtain any secret in the application's settings by specifying a settings key
+instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
+
+To remedy this, the underlying function used by the ``date`` template filter,
+``django.utils.formats.get_format()``, now only allows accessing the date/time
+formatting settings.
+
 Bugfixes
 ========

tests/i18n/tests.py+3 −0 modified

@@ -927,6 +927,9 @@ def test_localized_as_text_as_hidden_input(self):
                 '<input id="id_date_added" name="date_added" type="hidden" value="31.12.2009 06:00:00" />; <input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />'
             )
 
+    def test_format_arbitrary_settings(self):
+        self.assertEqual(get_format('DEBUG'), 'DEBUG')
+
 
 class MiscTests(TestCase):

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000