mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-25 14:46:09 +00:00
Code Issues 32 Releases Wiki Activity

[1.8.x] Fixed #24625 -- Prevented arbitrary file inclusion in admindocs

Browse Source 
Thanks Tim Graham for the review.

Backport of 09595b4fc6 from master
This commit is contained in:
Markus Holtermann
2015-03-31 15:47:06 +02:00
parent 774d09a7dd
commit 3862826fed
5 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
tests/admin_docs/tests.py
View File

@@ -280,6 +280,12 @@ class TestModelDetailView(AdminDocsTestCase):
"all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group"))
)
# "raw" and "include" directives are disabled
self.assertContains(self.response, '<p>&quot;raw&quot; directive disabled.</p>',)
self.assertContains(self.response, '.. raw:: html\n :file: admin_docs/evilfile.txt')
self.assertContains(self.response, '<p>&quot;include&quot; directive disabled.</p>',)
self.assertContains(self.response, '.. include:: admin_docs/evilfile.txt')
def test_model_with_many_to_one(self):
link = '<a class="reference external" href="/admindocs/models/%s/">%s</a>'
response = self.client.get(