diff options
| author | Tim Graham <timograham@gmail.com> | 2013-08-27 18:50:11 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2013-09-10 21:03:51 -0400 |
| commit | 536cc64240f7f331b805104bfd8cd82c98e44f12 (patch) | |
| tree | e636b91b3c452b2b90a8891753c0ab5dc70d654e | |
| parent | ef3604a085ae7b6ce20a84cf27c474b9e316f607 (diff) | |
[1.6.x] Prevented arbitrary file inclusion with {% ssi %} tag and relative paths.
Thanks Rainer Koirikivi for the report and draft patch.
This is a security fix; disclosure to follow shortly.
Backport of 7fe5b656c9 from master
| -rw-r--r-- | django/template/defaulttags.py | 2 | ||||
| -rw-r--r-- | tests/template_tests/tests.py | 31 |
2 files changed, 33 insertions, 0 deletions
diff --git a/django/template/defaulttags.py b/django/template/defaulttags.py index 959de3dea1..554c7bc739 100644 --- a/django/template/defaulttags.py +++ b/django/template/defaulttags.py @@ -1,6 +1,7 @@ """Default tags used by the template system, available to all templates.""" from __future__ import unicode_literals +import os import sys import re from datetime import datetime @@ -332,6 +333,7 @@ class RegroupNode(Node): return '' def include_is_allowed(filepath): + filepath = os.path.abspath(filepath) for root in settings.ALLOWED_INCLUDE_ROOTS: if filepath.startswith(root): return True diff --git a/tests/template_tests/tests.py b/tests/template_tests/tests.py index b2f35b1a8d..879acc15de 100644 --- a/tests/template_tests/tests.py +++ b/tests/template_tests/tests.py @@ -1832,3 +1832,34 @@ class RequestContextTests(unittest.TestCase): template.Template('{% include "child" only %}').render(ctx), 'none' ) + + +class SSITests(TestCase): + def setUp(self): + self.this_dir = os.path.dirname(os.path.abspath(upath(__file__))) + self.ssi_dir = os.path.join(self.this_dir, "templates", "first") + + def render_ssi(self, path): + # the path must exist for the test to be reliable + self.assertTrue(os.path.exists(path)) + return template.Template('{%% ssi "%s" %%}' % path).render(Context()) + + def test_allowed_paths(self): + acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html") + with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)): + self.assertEqual(self.render_ssi(acceptable_path), 'First template\n') + + def test_relative_include_exploit(self): + """ + May not bypass ALLOWED_INCLUDE_ROOTS with relative paths + + e.g. if ALLOWED_INCLUDE_ROOTS = ("/var/www",), it should not be + possible to do {% ssi "/var/www/../../etc/passwd" %} + """ + disallowed_paths = [ + os.path.join(self.ssi_dir, "..", "ssi_include.html"), + os.path.join(self.ssi_dir, "..", "second", "test.html"), + ] + with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)): + for path in disallowed_paths: + self.assertEqual(self.render_ssi(path), '') |
