[Django] #37174: Template fragment cache key collision for vary_on values containing ":"

Tue, 16 Jun 2026 08:58:26 -0700 

#37174: Template fragment cache key collision for vary_on values containing ":"
------------------------------+-------------------------------------------
     Reporter:  Jacob Walls   |                     Type:  Bug
       Status:  new           |                Component:  Template system
      Version:  6.0           |                 Severity:  Normal
     Keywords:  not-security  |             Triage Stage:  Unreviewed
    Has patch:  0             |      Needs documentation:  0
  Needs tests:  0             |  Patch needs improvement:  0
Easy pickings:  0             |                    UI/UX:  0
------------------------------+-------------------------------------------
 The [https://docs.djangoproject.com/en/6.0/topics/cache/#template-
 fragment-caching documented example] for template fragment caching
 demonstrates using `request.user.username` as a `vary_on` argument. If
 that username contained `:`, and another `vary_on` argument was present,
 then two cache keys might collide, and the wrong content could be served.

 See this PoC provided to the Security Team:

 {{{#!py
 from django.core.cache.utils import make_template_fragment_key
 a = make_template_fragment_key("frag", ["alice", "b:c"])
 b = make_template_fragment_key("frag", ["alice:b", "c"])
 assert a == b   # same key
 }}}


 We decided against accepting this as a security issue given the
 unlikelihood of colons in the data most important to vary on from a
 security perspective, e.g. usernames in a ''username'' + ''language code''
 vary_on pair, but there is a correctness issue to fix here.

 One fix strategy would involve incorporating the lengths of the arguments
 into the cache key.

 Since this will cause cache busting, we should probably document in the
 release note something similar to the note from
 5cb3ed187b283059589cb442c56a66a795800cac.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/37174>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019ed127a569-ddf9cd88-5a0d-4ea3-8029-57743cc3ab0a-000000%40eu-central-1.amazonses.com.

Reply via email to