Deprecated ALLOWED_INCLUDE_ROOTS.
This commit is contained in:
parent
84d7c93feb
commit
3dc01aaaaf
|
@ -232,14 +232,6 @@ details about the default templates:
|
|||
* :ref:`http_forbidden_view`
|
||||
* :ref:`http_bad_request_view`
|
||||
|
||||
Miscellaneous
|
||||
=============
|
||||
|
||||
:setting:`ALLOWED_INCLUDE_ROOTS`
|
||||
--------------------------------
|
||||
|
||||
This setting is required if you're using the :ttag:`ssi` template tag.
|
||||
|
||||
Python Options
|
||||
==============
|
||||
|
||||
|
|
|
@ -87,6 +87,10 @@ details on these changes.
|
|||
* The backwards compatibility shim to allow ``FormMixin.get_form()`` to be
|
||||
defined with no default value for its ``form_class`` argument will be removed.
|
||||
|
||||
* The following settings will be removed:
|
||||
|
||||
* ``ALLOWED_INCLUDE_ROOTS``
|
||||
|
||||
* The backwards compatibility alias ``django.template.loader.BaseLoader`` will
|
||||
be removed.
|
||||
|
||||
|
|
|
@ -123,6 +123,11 @@ ALLOWED_INCLUDE_ROOTS
|
|||
|
||||
Default: ``()`` (Empty tuple)
|
||||
|
||||
.. deprecated:: 1.8
|
||||
|
||||
Set the ``'allowed_include_roots'`` option in the :setting:`OPTIONS
|
||||
<TEMPLATES-OPTIONS>` of a ``DjangoTemplates`` backend instead.
|
||||
|
||||
A tuple of strings representing allowed prefixes for the ``{% ssi %}`` template
|
||||
tag. This is a security measure, so that template authors can't access files
|
||||
that they shouldn't be accessing.
|
||||
|
|
|
@ -996,8 +996,8 @@ file are evaluated as template code, within the current context::
|
|||
{% ssi '/home/html/ljworld.com/includes/right_generic.html' parsed %}
|
||||
|
||||
Note that if you use ``{% ssi %}``, you'll need to define
|
||||
:setting:`ALLOWED_INCLUDE_ROOTS` in your Django settings, as a security
|
||||
measure.
|
||||
``'allowed_include_roots'`` in the :setting:`OPTIONS <TEMPLATES-OPTIONS>` of
|
||||
your template engine, as a security measure.
|
||||
|
||||
.. note::
|
||||
With the :ttag:`ssi` tag and the ``parsed`` parameter
|
||||
|
|
|
@ -1014,6 +1014,14 @@ Related to the previous item, referencing views as strings in the ``url()``
|
|||
function is deprecated. Pass the callable view as described in the previous
|
||||
section instead.
|
||||
|
||||
Template-related settings
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
As a consequence of the multiple template engines refactor, several settings
|
||||
are deprecated in favor of :setting:`TEMPLATES`:
|
||||
|
||||
* ``ALLOWED_INCLUDE_ROOTS``
|
||||
|
||||
``django.core.context_processors``
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
|
|
@ -470,28 +470,27 @@ class SSITests(SimpleTestCase):
|
|||
def setUp(self):
|
||||
self.this_dir = os.path.dirname(os.path.abspath(upath(__file__)))
|
||||
self.ssi_dir = os.path.join(self.this_dir, "templates", "first")
|
||||
self.engine = Engine(allowed_include_roots=(self.ssi_dir,))
|
||||
|
||||
def render_ssi(self, path):
|
||||
# the path must exist for the test to be reliable
|
||||
self.assertTrue(os.path.exists(path))
|
||||
return template.Template('{%% ssi "%s" %%}' % path).render(Context())
|
||||
return self.engine.from_string('{%% ssi "%s" %%}' % path).render(Context({}))
|
||||
|
||||
def test_allowed_paths(self):
|
||||
acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
|
||||
with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
|
||||
self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
|
||||
|
||||
def test_relative_include_exploit(self):
|
||||
"""
|
||||
May not bypass ALLOWED_INCLUDE_ROOTS with relative paths
|
||||
May not bypass allowed_include_roots with relative paths
|
||||
|
||||
e.g. if ALLOWED_INCLUDE_ROOTS = ("/var/www",), it should not be
|
||||
e.g. if allowed_include_roots = ("/var/www",), it should not be
|
||||
possible to do {% ssi "/var/www/../../etc/passwd" %}
|
||||
"""
|
||||
disallowed_paths = [
|
||||
os.path.join(self.ssi_dir, "..", "ssi_include.html"),
|
||||
os.path.join(self.ssi_dir, "..", "second", "test.html"),
|
||||
]
|
||||
with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
|
||||
for path in disallowed_paths:
|
||||
self.assertEqual(self.render_ssi(path), '')
|
||||
for disallowed_path in disallowed_paths:
|
||||
self.assertEqual(self.render_ssi(disallowed_path), '')
|
||||
|
|
Loading…
Reference in New Issue