diff options
| author | Markus Holtermann <info@markusholtermann.eu> | 2015-03-31 15:47:06 +0200 |
|---|---|---|
| committer | Markus Holtermann <info@markusholtermann.eu> | 2015-04-11 20:36:10 +0200 |
| commit | 09595b4fc67ac4c94ed4e0d4c69acc1e4a748c81 (patch) | |
| tree | 1070880104158663ba7b0bdbb90349283efda46a /tests/admin_docs/tests.py | |
| parent | 4e7ed8d0d3e29e21d46abe06ac244da3754c82cc (diff) | |
Fixed #24625 -- Prevented arbitrary file inclusion in admindocs
Thanks Tim Graham for the review.
Diffstat (limited to 'tests/admin_docs/tests.py')
| -rw-r--r-- | tests/admin_docs/tests.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/tests/admin_docs/tests.py b/tests/admin_docs/tests.py index b4f78477df..a59443adf4 100644 --- a/tests/admin_docs/tests.py +++ b/tests/admin_docs/tests.py @@ -290,6 +290,12 @@ class TestModelDetailView(TestDataMixin, AdminDocsTestCase): "all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group")) ) + # "raw" and "include" directives are disabled + self.assertContains(self.response, '<p>"raw" directive disabled.</p>',) + self.assertContains(self.response, '.. raw:: html\n :file: admin_docs/evilfile.txt') + self.assertContains(self.response, '<p>"include" directive disabled.</p>',) + self.assertContains(self.response, '.. include:: admin_docs/evilfile.txt') + def test_model_with_many_to_one(self): link = '<a class="reference external" href="/admindocs/models/%s/">%s</a>' response = self.client.get( |