mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-24 06:06:09 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView.

Browse Source
This commit is contained in:
Florian Apolloner
2021-05-17 11:26:36 +02:00
committed by Carlton Gibson
parent f66ae7a2d5
commit 46572de2e9
5 changed files with 52 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
docs/releases/2.2.24.txt
View File

@@ -6,4 +6,14 @@ Django 2.2.24 release notes
Django 2.2.24 fixes two security issues in 2.2.23.
...
CVE-2021-33203: Potential directory traversal via ``admindocs``
===============================================================
Staff members could use the :mod:`~django.contrib.admindocs`
``TemplateDetailView`` view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.

12
docs/releases/3.1.12.txt
View File

@@ -6,4 +6,14 @@ Django 3.1.12 release notes
Django 3.1.12 fixes two security issues in 3.1.11.
...
CVE-2021-33203: Potential directory traversal via ``admindocs``
===============================================================
Staff members could use the :mod:`~django.contrib.admindocs`
``TemplateDetailView`` view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.

12
docs/releases/3.2.4.txt
View File

@@ -6,6 +6,18 @@ Django 3.2.4 release notes
Django 3.2.4 fixes two security issues and several bugs in 3.2.3.
CVE-2021-33203: Potential directory traversal via ``admindocs``
===============================================================
Staff members could use the :mod:`~django.contrib.admindocs`
``TemplateDetailView`` view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.
Bugfixes
========