summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2013-08-27 18:50:11 -0400
committerTim Graham <timograham@gmail.com>2013-09-10 21:03:51 -0400
commit536cc64240f7f331b805104bfd8cd82c98e44f12 (patch)
treee636b91b3c452b2b90a8891753c0ab5dc70d654e
parentef3604a085ae7b6ce20a84cf27c474b9e316f607 (diff)
[1.6.x] Prevented arbitrary file inclusion with {% ssi %} tag and relative paths.
Thanks Rainer Koirikivi for the report and draft patch. This is a security fix; disclosure to follow shortly. Backport of 7fe5b656c9 from master
-rw-r--r--django/template/defaulttags.py2
-rw-r--r--tests/template_tests/tests.py31
2 files changed, 33 insertions, 0 deletions
diff --git a/django/template/defaulttags.py b/django/template/defaulttags.py
index 959de3dea1..554c7bc739 100644
--- a/django/template/defaulttags.py
+++ b/django/template/defaulttags.py
@@ -1,6 +1,7 @@
"""Default tags used by the template system, available to all templates."""
from __future__ import unicode_literals
+import os
import sys
import re
from datetime import datetime
@@ -332,6 +333,7 @@ class RegroupNode(Node):
return ''
def include_is_allowed(filepath):
+ filepath = os.path.abspath(filepath)
for root in settings.ALLOWED_INCLUDE_ROOTS:
if filepath.startswith(root):
return True
diff --git a/tests/template_tests/tests.py b/tests/template_tests/tests.py
index b2f35b1a8d..879acc15de 100644
--- a/tests/template_tests/tests.py
+++ b/tests/template_tests/tests.py
@@ -1832,3 +1832,34 @@ class RequestContextTests(unittest.TestCase):
template.Template('{% include "child" only %}').render(ctx),
'none'
)
+
+
+class SSITests(TestCase):
+ def setUp(self):
+ self.this_dir = os.path.dirname(os.path.abspath(upath(__file__)))
+ self.ssi_dir = os.path.join(self.this_dir, "templates", "first")
+
+ def render_ssi(self, path):
+ # the path must exist for the test to be reliable
+ self.assertTrue(os.path.exists(path))
+ return template.Template('{%% ssi "%s" %%}' % path).render(Context())
+
+ def test_allowed_paths(self):
+ acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
+ with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
+ self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
+
+ def test_relative_include_exploit(self):
+ """
+ May not bypass ALLOWED_INCLUDE_ROOTS with relative paths
+
+ e.g. if ALLOWED_INCLUDE_ROOTS = ("/var/www",), it should not be
+ possible to do {% ssi "/var/www/../../etc/passwd" %}
+ """
+ disallowed_paths = [
+ os.path.join(self.ssi_dir, "..", "ssi_include.html"),
+ os.path.join(self.ssi_dir, "..", "second", "test.html"),
+ ]
+ with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
+ for path in disallowed_paths:
+ self.assertEqual(self.render_ssi(path), '')