Fixed #24625 -- Prevented arbitrary file inclusion in admindocs

Thanks Tim Graham for the review.
2025-10-24 06:06:09 +00:00 · 2015-03-31 15:47:06 +02:00
parent 4e7ed8d0d3
commit 09595b4fc6
5 changed files with 18 additions and 1 deletions
--- a/tests/admin_docs/tests.py
+++ b/tests/admin_docs/tests.py
@@ -290,6 +290,12 @@ class TestModelDetailView(TestDataMixin, AdminDocsTestCase):
            "all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group"))
        )

+        # "raw" and "include" directives are disabled
+        self.assertContains(self.response, '<p>&quot;raw&quot; directive disabled.</p>',)
+        self.assertContains(self.response, '.. raw:: html\n    :file: admin_docs/evilfile.txt')
+        self.assertContains(self.response, '<p>&quot;include&quot; directive disabled.</p>',)
+        self.assertContains(self.response, '.. include:: admin_docs/evilfile.txt')
+
    def test_model_with_many_to_one(self):
        link = '<a class="reference external" href="/admindocs/models/%s/">%s</a>'
        response = self.client.get(