[1.11.x] Fixed CVE-2017-7234 -- Fixed open redirect vulnerability in views.static.serve().
This is a security fix.
This commit is contained in:
parent
839159b67e
commit
001ff50808
|
@ -12,9 +12,9 @@ import stat
|
|||
|
||||
from django.http import (
|
||||
FileResponse, Http404, HttpResponse, HttpResponseNotModified,
|
||||
HttpResponseRedirect,
|
||||
)
|
||||
from django.template import Context, Engine, TemplateDoesNotExist, loader
|
||||
from django.utils._os import safe_join
|
||||
from django.utils.http import http_date, parse_http_date
|
||||
from django.utils.six.moves.urllib.parse import unquote
|
||||
from django.utils.translation import ugettext as _, ugettext_lazy
|
||||
|
@ -36,25 +36,11 @@ def serve(request, path, document_root=None, show_indexes=False):
|
|||
but if you'd like to override it, you can create a template called
|
||||
``static/directory_index.html``.
|
||||
"""
|
||||
path = posixpath.normpath(unquote(path))
|
||||
path = path.lstrip('/')
|
||||
newpath = ''
|
||||
for part in path.split('/'):
|
||||
if not part:
|
||||
# Strip empty path components.
|
||||
continue
|
||||
drive, part = os.path.splitdrive(part)
|
||||
head, part = os.path.split(part)
|
||||
if part in (os.curdir, os.pardir):
|
||||
# Strip '.' and '..' in path.
|
||||
continue
|
||||
newpath = os.path.join(newpath, part).replace('\\', '/')
|
||||
if newpath and path != newpath:
|
||||
return HttpResponseRedirect(newpath)
|
||||
fullpath = os.path.join(document_root, newpath)
|
||||
path = posixpath.normpath(unquote(path)).lstrip('/')
|
||||
fullpath = safe_join(document_root, path)
|
||||
if os.path.isdir(fullpath):
|
||||
if show_indexes:
|
||||
return directory_index(newpath, fullpath)
|
||||
return directory_index(path, fullpath)
|
||||
raise Http404(_("Directory indexes are not allowed here."))
|
||||
if not os.path.exists(fullpath):
|
||||
raise Http404(_('"%(path)s" does not exist') % {'path': fullpath})
|
||||
|
|
|
@ -6,6 +6,17 @@ Django 1.10.7 release notes
|
|||
|
||||
Django 1.10.7 fixes two security issues and a bug in 1.10.6.
|
||||
|
||||
CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
|
||||
=============================================================================
|
||||
|
||||
A maliciously crafted URL to a Django site using the
|
||||
:func:`~django.views.static.serve` view could redirect to any other domain. The
|
||||
view no longer does any redirects as they don't provide any known, useful
|
||||
functionality.
|
||||
|
||||
Note, however, that this view has always carried a warning that it is not
|
||||
hardened for production use and should be used only as a development aid.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
||||
|
|
|
@ -5,3 +5,14 @@ Django 1.8.18 release notes
|
|||
*April 4, 2017*
|
||||
|
||||
Django 1.8.18 fixes two security issues in 1.8.17.
|
||||
|
||||
CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
|
||||
=============================================================================
|
||||
|
||||
A maliciously crafted URL to a Django site using the
|
||||
:func:`~django.views.static.serve` view could redirect to any other domain. The
|
||||
view no longer does any redirects as they don't provide any known, useful
|
||||
functionality.
|
||||
|
||||
Note, however, that this view has always carried a warning that it is not
|
||||
hardened for production use and should be used only as a development aid.
|
||||
|
|
|
@ -7,6 +7,17 @@ Django 1.9.13 release notes
|
|||
Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final
|
||||
release of the 1.9.x series.
|
||||
|
||||
CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
|
||||
=============================================================================
|
||||
|
||||
A maliciously crafted URL to a Django site using the
|
||||
:func:`~django.views.static.serve` view could redirect to any other domain. The
|
||||
view no longer does any redirects as they don't provide any known, useful
|
||||
functionality.
|
||||
|
||||
Note, however, that this view has always carried a warning that it is not
|
||||
hardened for production use and should be used only as a development aid.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
||||
|
|
|
@ -110,7 +110,7 @@ class StaticTests(SimpleTestCase):
|
|||
|
||||
def test_index(self):
|
||||
response = self.client.get('/%s/' % self.prefix)
|
||||
self.assertContains(response, 'Index of /')
|
||||
self.assertContains(response, 'Index of ./')
|
||||
|
||||
|
||||
class StaticHelperTest(StaticTests):
|
||||
|
|
Loading…
Reference in New Issue