Fixed #24625 -- Prevented arbitrary file inclusion in admindocs

Thanks Tim Graham for the review.

3 files changed, 12 insertions, 0 deletions

diff --git a/tests/admin_docs/evilfile.txt b/tests/admin_docs/evilfile.txt
new file mode 100644
index 0000000000..e69de29bb2
--- /dev/null
+++ b/tests/admin_docs/evilfile.txt
diff --git a/tests/admin_docs/models.py b/tests/admin_docs/models.py
index 7e8b6c37e8..89a9e8c98e 100644
--- a/tests/admin_docs/models.py
+++ b/tests/admin_docs/models.py
@@ -29,6 +29,12 @@ class Person(models.Model):
         Field storing :model:`myapp.Company` where the person works.
 
     (DESCRIPTION)
+
+    .. raw:: html
+        :file: admin_docs/evilfile.txt
+
+    .. include:: admin_docs/evilfile.txt
+
     """
     first_name = models.CharField(max_length=200, help_text="The person's first name")
     last_name = models.CharField(max_length=200, help_text="The person's last name")
diff --git a/tests/admin_docs/tests.py b/tests/admin_docs/tests.py
index b4f78477df..a59443adf4 100644
--- a/tests/admin_docs/tests.py
+++ b/tests/admin_docs/tests.py
@@ -290,6 +290,12 @@ class TestModelDetailView(TestDataMixin, AdminDocsTestCase):
             "all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group"))
         )
 
+        # "raw" and "include" directives are disabled
+        self.assertContains(self.response, '<p>&quot;raw&quot; directive disabled.</p>',)
+        self.assertContains(self.response, '.. raw:: html\n    :file: admin_docs/evilfile.txt')
+        self.assertContains(self.response, '<p>&quot;include&quot; directive disabled.</p>',)
+        self.assertContains(self.response, '.. include:: admin_docs/evilfile.txt')
+
     def test_model_with_many_to_one(self):
         link = '<a class="reference external" href="/admindocs/models/%s/">%s</a>'
         response = self.client.get(