[1.8.x] Fixed #24625 -- Prevented arbitrary file inclusion in admindocs

Thanks Tim Graham for the review. Backport of 09595b4fc6 from master
2015-03-31 15:47:06 +02:00 · 2015-03-31 15:47:06 +02:00 · 3862826fed
parent 774d09a7dd
commit 3862826fed
5 changed files with 18 additions and 1 deletions
--- a/django/contrib/admindocs/utils.py
+++ b/django/contrib/admindocs/utils.py
@ -67,7 +67,9 @@ def parse_rst(text, default_reference_context, thing_being_parsed=None):
        'doctitle_xform': True,
        'inital_header_level': 3,
        "default_reference_context": default_reference_context,
-        "link_base": reverse('django-admindocs-docroot').rstrip('/')
+        "link_base": reverse('django-admindocs-docroot').rstrip('/'),
+        'raw_enabled': False,
+        'file_insertion_enabled': False,
    }
    if thing_being_parsed:
        thing_being_parsed = force_bytes("<%s>" % thing_being_parsed)
--- a/docs/releases/1.8.1.txt
+++ b/docs/releases/1.8.1.txt
@ -35,3 +35,6 @@ Bugfixes
 * Fixed a regression in the model detail view of
  :mod:`~django.contrib.admindocs` when a model has a reverse foreign key
  relation (:ticket:`24624`).
+
+* Prevented arbitrary file inclusions in :mod:`~django.contrib.admindocs`
+  (:ticket:`24625`).
--- a/tests/admin_docs/evilfile.txt
+++ b/tests/admin_docs/evilfile.txt
--- a/tests/admin_docs/models.py
+++ b/tests/admin_docs/models.py
@ -29,6 +29,12 @@ class Person(models.Model):
        Field storing :model:`myapp.Company` where the person works.

    (DESCRIPTION)
+
+    .. raw:: html
+        :file: admin_docs/evilfile.txt
+
+    .. include:: admin_docs/evilfile.txt
+
    """
    first_name = models.CharField(max_length=200, help_text="The person's first name")
    last_name = models.CharField(max_length=200, help_text="The person's last name")
--- a/tests/admin_docs/tests.py
+++ b/tests/admin_docs/tests.py
@ -280,6 +280,12 @@ class TestModelDetailView(AdminDocsTestCase):
            "all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group"))
        )

+        # "raw" and "include" directives are disabled
+        self.assertContains(self.response, '<p>&quot;raw&quot; directive disabled.</p>',)
+        self.assertContains(self.response, '.. raw:: html\n    :file: admin_docs/evilfile.txt')
+        self.assertContains(self.response, '<p>&quot;include&quot; directive disabled.</p>',)
+        self.assertContains(self.response, '.. include:: admin_docs/evilfile.txt')
+
    def test_model_with_many_to_one(self):
        link = '<a class="reference external" href="/admindocs/models/%s/">%s</a>'
        response = self.client.get(