From 3862826fedc99378279b85e602079b53593ae129 Mon Sep 17 00:00:00 2001 From: Markus Holtermann Date: Tue, 31 Mar 2015 15:47:06 +0200 Subject: [PATCH] [1.8.x] Fixed #24625 -- Prevented arbitrary file inclusion in admindocs Thanks Tim Graham for the review. Backport of 09595b4fc67ac4c94ed4e0d4c69acc1e4a748c81 from master --- django/contrib/admindocs/utils.py | 4 +++- docs/releases/1.8.1.txt | 3 +++ tests/admin_docs/evilfile.txt | 0 tests/admin_docs/models.py | 6 ++++++ tests/admin_docs/tests.py | 6 ++++++ 5 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 tests/admin_docs/evilfile.txt diff --git a/django/contrib/admindocs/utils.py b/django/contrib/admindocs/utils.py index f366025f89..5aaf37bb9a 100644 --- a/django/contrib/admindocs/utils.py +++ b/django/contrib/admindocs/utils.py @@ -67,7 +67,9 @@ def parse_rst(text, default_reference_context, thing_being_parsed=None): 'doctitle_xform': True, 'inital_header_level': 3, "default_reference_context": default_reference_context, - "link_base": reverse('django-admindocs-docroot').rstrip('/') + "link_base": reverse('django-admindocs-docroot').rstrip('/'), + 'raw_enabled': False, + 'file_insertion_enabled': False, } if thing_being_parsed: thing_being_parsed = force_bytes("<%s>" % thing_being_parsed) diff --git a/docs/releases/1.8.1.txt b/docs/releases/1.8.1.txt index 9b18dea176..d942d32842 100644 --- a/docs/releases/1.8.1.txt +++ b/docs/releases/1.8.1.txt @@ -35,3 +35,6 @@ Bugfixes * Fixed a regression in the model detail view of :mod:`~django.contrib.admindocs` when a model has a reverse foreign key relation (:ticket:`24624`). + +* Prevented arbitrary file inclusions in :mod:`~django.contrib.admindocs` + (:ticket:`24625`). diff --git a/tests/admin_docs/evilfile.txt b/tests/admin_docs/evilfile.txt new file mode 100644 index 0000000000..e69de29bb2 diff --git a/tests/admin_docs/models.py b/tests/admin_docs/models.py index 7e8b6c37e8..89a9e8c98e 100644 --- a/tests/admin_docs/models.py +++ b/tests/admin_docs/models.py @@ -29,6 +29,12 @@ class Person(models.Model): Field storing :model:`myapp.Company` where the person works. (DESCRIPTION) + + .. raw:: html + :file: admin_docs/evilfile.txt + + .. include:: admin_docs/evilfile.txt + """ first_name = models.CharField(max_length=200, help_text="The person's first name") last_name = models.CharField(max_length=200, help_text="The person's last name") diff --git a/tests/admin_docs/tests.py b/tests/admin_docs/tests.py index fe668e2119..94054f9437 100644 --- a/tests/admin_docs/tests.py +++ b/tests/admin_docs/tests.py @@ -280,6 +280,12 @@ class TestModelDetailView(AdminDocsTestCase): "all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group")) ) + # "raw" and "include" directives are disabled + self.assertContains(self.response, '

"raw" directive disabled.

',) + self.assertContains(self.response, '.. raw:: html\n :file: admin_docs/evilfile.txt') + self.assertContains(self.response, '

"include" directive disabled.

',) + self.assertContains(self.response, '.. include:: admin_docs/evilfile.txt') + def test_model_with_many_to_one(self): link = '%s' response = self.client.get(