+52
-3
lines changedFilter options
+52
-3
lines changed Original file line number Diff line number Diff line change
@@ -16,6 +16,7 @@
16 16
from django.http import Http404
17 17
from django.template.engine import Engine
18 18
from django.urls import get_mod_func, get_resolver, get_urlconf
19 +
from django.utils._os import safe_join
19 20
from django.utils.decorators import method_decorator
20 21
from django.utils.inspect import (
21 22
func_accepts_kwargs, func_accepts_var_args, get_func_full_args,
@@ -329,7 +330,7 @@ def get_context_data(self, **kwargs):
329 330
else:
330 331
# This doesn't account for template loaders (#24128).
331 332
for index, directory in enumerate(default_engine.dirs):
332 -
template_file = Path(directory) / template
333 +
template_file = Path(safe_join(directory, template))
333 334
if template_file.exists():
334 335
template_contents = template_file.read_text()
335 336
else:
@@ -6,4 +6,14 @@ Django 2.2.24 release notes
6 6 7 7
Django 2.2.24 fixes two security issues in 2.2.23.
8 8 9 -
...
9 +
CVE-2021-33203: Potential directory traversal via ``admindocs``
10 +
===============================================================
11 + 12 +
Staff members could use the :mod:`~django.contrib.admindocs`
13 +
``TemplateDetailView`` view to check the existence of arbitrary files.
14 +
Additionally, if (and only if) the default admindocs templates have been
15 +
customized by the developers to also expose the file contents, then not only
16 +
the existence but also the file contents would have been exposed.
17 + 18 +
As a mitigation, path sanitation is now applied and only files within the
19 +
template root directories can be loaded.
Original file line number Diff line number Diff line change
@@ -6,4 +6,14 @@ Django 3.1.12 release notes
6 6 7 7
Django 3.1.12 fixes two security issues in 3.1.11.
8 8 9 -
...
9 +
CVE-2021-33203: Potential directory traversal via ``admindocs``
10 +
===============================================================
11 + 12 +
Staff members could use the :mod:`~django.contrib.admindocs`
13 +
``TemplateDetailView`` view to check the existence of arbitrary files.
14 +
Additionally, if (and only if) the default admindocs templates have been
15 +
customized by the developers to also expose the file contents, then not only
16 +
the existence but also the file contents would have been exposed.
17 + 18 +
As a mitigation, path sanitation is now applied and only files within the
19 +
template root directories can be loaded.
Original file line number Diff line number Diff line change
@@ -6,6 +6,18 @@ Django 3.2.4 release notes
6 6 7 7
Django 3.2.4 fixes two security issues and several bugs in 3.2.3.
8 8 9 +
CVE-2021-33203: Potential directory traversal via ``admindocs``
10 +
===============================================================
11 + 12 +
Staff members could use the :mod:`~django.contrib.admindocs`
13 +
``TemplateDetailView`` view to check the existence of arbitrary files.
14 +
Additionally, if (and only if) the default admindocs templates have been
15 +
customized by the developers to also expose the file contents, then not only
16 +
the existence but also the file contents would have been exposed.
17 + 18 +
As a mitigation, path sanitation is now applied and only files within the
19 +
template root directories can be loaded.
20 + 9 21
Bugfixes
10 22
========
11 23
@@ -137,6 +137,22 @@ def test_no_sites_framework(self):
137 137
self.assertContains(response, 'View documentation')
138 138 139 139 140 +
@unittest.skipUnless(utils.docutils_is_available, 'no docutils installed.')
141 +
class AdminDocViewDefaultEngineOnly(TestDataMixin, AdminDocsTestCase):
142 + 143 +
def setUp(self):
144 +
self.client.force_login(self.superuser)
145 + 146 +
def test_template_detail_path_traversal(self):
147 +
cases = ['/etc/passwd', '../passwd']
148 +
for fpath in cases:
149 +
with self.subTest(path=fpath):
150 +
response = self.client.get(
151 +
reverse('django-admindocs-templates', args=[fpath]),
152 +
)
153 +
self.assertEqual(response.status_code, 400)
154 + 155 + 140 156
@override_settings(TEMPLATES=[{
141 157
'NAME': 'ONE',
142 158
'BACKEND': 'django.template.backends.django.DjangoTemplates',
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4