Fixed #24625 -- Prevented arbitrary file inclusion in admindocs
Thanks Tim Graham for the review.
This commit is contained in:
parent
4e7ed8d0d3
commit
09595b4fc6
|
@ -67,7 +67,9 @@ def parse_rst(text, default_reference_context, thing_being_parsed=None):
|
|||
'doctitle_xform': True,
|
||||
'inital_header_level': 3,
|
||||
"default_reference_context": default_reference_context,
|
||||
"link_base": reverse('django-admindocs-docroot').rstrip('/')
|
||||
"link_base": reverse('django-admindocs-docroot').rstrip('/'),
|
||||
'raw_enabled': False,
|
||||
'file_insertion_enabled': False,
|
||||
}
|
||||
if thing_being_parsed:
|
||||
thing_being_parsed = force_bytes("<%s>" % thing_being_parsed)
|
||||
|
|
|
@ -35,3 +35,6 @@ Bugfixes
|
|||
* Fixed a regression in the model detail view of
|
||||
:mod:`~django.contrib.admindocs` when a model has a reverse foreign key
|
||||
relation (:ticket:`24624`).
|
||||
|
||||
* Prevented arbitrary file inclusions in :mod:`~django.contrib.admindocs`
|
||||
(:ticket:`24625`).
|
||||
|
|
|
@ -29,6 +29,12 @@ class Person(models.Model):
|
|||
Field storing :model:`myapp.Company` where the person works.
|
||||
|
||||
(DESCRIPTION)
|
||||
|
||||
.. raw:: html
|
||||
:file: admin_docs/evilfile.txt
|
||||
|
||||
.. include:: admin_docs/evilfile.txt
|
||||
|
||||
"""
|
||||
first_name = models.CharField(max_length=200, help_text="The person's first name")
|
||||
last_name = models.CharField(max_length=200, help_text="The person's last name")
|
||||
|
|
|
@ -290,6 +290,12 @@ class TestModelDetailView(TestDataMixin, AdminDocsTestCase):
|
|||
"all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group"))
|
||||
)
|
||||
|
||||
# "raw" and "include" directives are disabled
|
||||
self.assertContains(self.response, '<p>"raw" directive disabled.</p>',)
|
||||
self.assertContains(self.response, '.. raw:: html\n :file: admin_docs/evilfile.txt')
|
||||
self.assertContains(self.response, '<p>"include" directive disabled.</p>',)
|
||||
self.assertContains(self.response, '.. include:: admin_docs/evilfile.txt')
|
||||
|
||||
def test_model_with_many_to_one(self):
|
||||
link = '<a class="reference external" href="/admindocs/models/%s/">%s</a>'
|
||||
response = self.client.get(
|
||||
|
|
Loading…
Reference in New Issue