mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #24625 -- Prevented arbitrary file inclusion in admindocs

Browse Source 
Thanks Tim Graham for the review.
This commit is contained in:
Markus Holtermann
2015-03-31 15:47:06 +02:00
parent 4e7ed8d0d3
commit 09595b4fc6
5 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
django/contrib/admindocs/utils.py
View File

@@ -67,7 +67,9 @@ def parse_rst(text, default_reference_context, thing_being_parsed=None):
'doctitle_xform': True,
'inital_header_level': 3,
"default_reference_context": default_reference_context,
"link_base": reverse('django-admindocs-docroot').rstrip('/')
"link_base": reverse('django-admindocs-docroot').rstrip('/'),
'raw_enabled': False,
'file_insertion_enabled': False,
}
if thing_being_parsed:
thing_being_parsed = force_bytes("<%s>" % thing_being_parsed)

3
docs/releases/1.8.1.txt
View File

@@ -35,3 +35,6 @@ Bugfixes
* Fixed a regression in the model detail view of
:mod:`~django.contrib.admindocs` when a model has a reverse foreign key
relation (:ticket:`24624`).
* Prevented arbitrary file inclusions in :mod:`~django.contrib.admindocs`
(:ticket:`24625`).

0
tests/admin_docs/evilfile.txt Normal file
View File

6
tests/admin_docs/models.py
View File

@@ -29,6 +29,12 @@ class Person(models.Model):
Field storing :model:`myapp.Company` where the person works.
(DESCRIPTION)
.. raw:: html
:file: admin_docs/evilfile.txt
.. include:: admin_docs/evilfile.txt
"""
first_name = models.CharField(max_length=200, help_text="The person's first name")
last_name = models.CharField(max_length=200, help_text="The person's last name")

6
tests/admin_docs/tests.py
View File

@@ -290,6 +290,12 @@ class TestModelDetailView(TestDataMixin, AdminDocsTestCase):
"all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group"))
)
# "raw" and "include" directives are disabled
self.assertContains(self.response, '<p>&quot;raw&quot; directive disabled.</p>',)
self.assertContains(self.response, '.. raw:: html\n :file: admin_docs/evilfile.txt')
self.assertContains(self.response, '<p>&quot;include&quot; directive disabled.</p>',)
self.assertContains(self.response, '.. include:: admin_docs/evilfile.txt')
def test_model_with_many_to_one(self):
link = '<a class="reference external" href="/admindocs/models/%s/">%s</a>'
response = self.client.get(