Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView.

2025-10-25 06:36:07 +00:00 · 2021-05-17 11:26:36 +02:00
parent f66ae7a2d5
commit 46572de2e9
5 changed files with 52 additions and 3 deletions
--- a/django/contrib/admindocs/views.py
+++ b/django/contrib/admindocs/views.py
@@ -15,6 +15,7 @@ from django.db import models
 from django.http import Http404
 from django.template.engine import Engine
 from django.urls import get_mod_func, get_resolver, get_urlconf
+from django.utils._os import safe_join
 from django.utils.decorators import method_decorator
 from django.utils.functional import cached_property
 from django.utils.inspect import (
@@ -333,7 +334,7 @@ class TemplateDetailView(BaseAdminDocsView):
        else:
            # This doesn't account for template loaders (#24128).
            for index, directory in enumerate(default_engine.dirs):
-                template_file = Path(directory) / template
+                template_file = Path(safe_join(directory, template))
                if template_file.exists():
                    template_contents = template_file.read_text()
                else: