mirror of
				https://github.com/django/django.git
				synced 2025-10-24 22:26:08 +00:00 
			
		
		
		
	Prevented arbitrary file inclusion with {% ssi %} tag and relative paths.
Thanks Rainer Koirikivi for the report and draft patch. This is a security fix; disclosure to follow shortly.
This commit is contained in:
		| @@ -1,6 +1,7 @@ | |||||||
| """Default tags used by the template system, available to all templates.""" | """Default tags used by the template system, available to all templates.""" | ||||||
| from __future__ import unicode_literals | from __future__ import unicode_literals | ||||||
|  |  | ||||||
|  | import os | ||||||
| import sys | import sys | ||||||
| import re | import re | ||||||
| from datetime import datetime | from datetime import datetime | ||||||
| @@ -328,6 +329,7 @@ class RegroupNode(Node): | |||||||
|         return '' |         return '' | ||||||
|  |  | ||||||
| def include_is_allowed(filepath): | def include_is_allowed(filepath): | ||||||
|  |     filepath = os.path.abspath(filepath) | ||||||
|     for root in settings.ALLOWED_INCLUDE_ROOTS: |     for root in settings.ALLOWED_INCLUDE_ROOTS: | ||||||
|         if filepath.startswith(root): |         if filepath.startswith(root): | ||||||
|             return True |             return True | ||||||
|   | |||||||
| @@ -1902,3 +1902,34 @@ class RequestContextTests(unittest.TestCase): | |||||||
|         # The stack should now contain 3 items: |         # The stack should now contain 3 items: | ||||||
|         # [builtins, supplied context, context processor] |         # [builtins, supplied context, context processor] | ||||||
|         self.assertEqual(len(ctx.dicts), 3) |         self.assertEqual(len(ctx.dicts), 3) | ||||||
|  |  | ||||||
|  |  | ||||||
|  | class SSITests(TestCase): | ||||||
|  |     def setUp(self): | ||||||
|  |         self.this_dir = os.path.dirname(os.path.abspath(upath(__file__))) | ||||||
|  |         self.ssi_dir = os.path.join(self.this_dir, "templates", "first") | ||||||
|  |  | ||||||
|  |     def render_ssi(self, path): | ||||||
|  |         # the path must exist for the test to be reliable | ||||||
|  |         self.assertTrue(os.path.exists(path)) | ||||||
|  |         return template.Template('{%% ssi "%s" %%}' % path).render(Context()) | ||||||
|  |  | ||||||
|  |     def test_allowed_paths(self): | ||||||
|  |         acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html") | ||||||
|  |         with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)): | ||||||
|  |             self.assertEqual(self.render_ssi(acceptable_path), 'First template\n') | ||||||
|  |  | ||||||
|  |     def test_relative_include_exploit(self): | ||||||
|  |         """ | ||||||
|  |         May not bypass ALLOWED_INCLUDE_ROOTS with relative paths | ||||||
|  |  | ||||||
|  |         e.g. if ALLOWED_INCLUDE_ROOTS = ("/var/www",), it should not be | ||||||
|  |         possible to do {% ssi "/var/www/../../etc/passwd" %} | ||||||
|  |         """ | ||||||
|  |         disallowed_paths = [ | ||||||
|  |             os.path.join(self.ssi_dir, "..", "ssi_include.html"), | ||||||
|  |             os.path.join(self.ssi_dir, "..", "second", "test.html"), | ||||||
|  |         ] | ||||||
|  |         with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)): | ||||||
|  |             for path in disallowed_paths: | ||||||
|  |                 self.assertEqual(self.render_ssi(path), '') | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user