There is an “uncontrolled format string vulnerability” when using {{ form.as_table }}
in a Django template. Is there any way to prevent this when using this .as_table
call? My first thought is to just manually write the form in the template, but this seems kind of redundant. I cannot image there isn’t some way to prevent this using this call.
I don’t see anything in the docs advising against using this “.as_table” call.
I’m curious - what’s telling you this? What tool are you using that is identifying this as an issue? (Mostly what I’m curious about is whether this is an issue with the form.as_table
rendering or if there are just specific items within a form that may cause this to be identified as an issue)
Hahaha, I’m not using a tool. We have a group of pen testers on our security team at work and they found it. They won’t let me deploy the application until I fix it. I will ping them to see if I can get more details.
So it appears the security team hasn’t used any actual tools to verify this at this time. They just reviewed the code and apparently made some assumptions. I have to dig more into this to find out if they are even real vulnerabilities.
They are also claiming that form.is_validate() causes a cross-site-history manipulation issue even though I have {% csrf_token %}
Please DO NOT discuss this topic any further in public! Please reach out with details to security@djangoproject.com in case any you run into actual problems. Thank you!
1 Like
Ok sounds good. Feel free to delete this thread.