Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView.

This commit is contained in:
Florian Apolloner 2021-05-17 11:26:36 +02:00 committed by Carlton Gibson
parent f66ae7a2d5
commit 46572de2e9
5 changed files with 52 additions and 3 deletions

View File

@ -15,6 +15,7 @@ from django.db import models
from django.http import Http404 from django.http import Http404
from django.template.engine import Engine from django.template.engine import Engine
from django.urls import get_mod_func, get_resolver, get_urlconf from django.urls import get_mod_func, get_resolver, get_urlconf
from django.utils._os import safe_join
from django.utils.decorators import method_decorator from django.utils.decorators import method_decorator
from django.utils.functional import cached_property from django.utils.functional import cached_property
from django.utils.inspect import ( from django.utils.inspect import (
@ -333,7 +334,7 @@ class TemplateDetailView(BaseAdminDocsView):
else: else:
# This doesn't account for template loaders (#24128). # This doesn't account for template loaders (#24128).
for index, directory in enumerate(default_engine.dirs): for index, directory in enumerate(default_engine.dirs):
template_file = Path(directory) / template template_file = Path(safe_join(directory, template))
if template_file.exists(): if template_file.exists():
template_contents = template_file.read_text() template_contents = template_file.read_text()
else: else:

View File

@ -6,4 +6,14 @@ Django 2.2.24 release notes
Django 2.2.24 fixes two security issues in 2.2.23. Django 2.2.24 fixes two security issues in 2.2.23.
... CVE-2021-33203: Potential directory traversal via ``admindocs``
===============================================================
Staff members could use the :mod:`~django.contrib.admindocs`
``TemplateDetailView`` view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.

View File

@ -6,4 +6,14 @@ Django 3.1.12 release notes
Django 3.1.12 fixes two security issues in 3.1.11. Django 3.1.12 fixes two security issues in 3.1.11.
... CVE-2021-33203: Potential directory traversal via ``admindocs``
===============================================================
Staff members could use the :mod:`~django.contrib.admindocs`
``TemplateDetailView`` view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.

View File

@ -6,6 +6,18 @@ Django 3.2.4 release notes
Django 3.2.4 fixes two security issues and several bugs in 3.2.3. Django 3.2.4 fixes two security issues and several bugs in 3.2.3.
CVE-2021-33203: Potential directory traversal via ``admindocs``
===============================================================
Staff members could use the :mod:`~django.contrib.admindocs`
``TemplateDetailView`` view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.
As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.
Bugfixes Bugfixes
======== ========

View File

@ -154,6 +154,22 @@ class AdminDocViewTests(TestDataMixin, AdminDocsTestCase):
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
@unittest.skipUnless(utils.docutils_is_available, 'no docutils installed.')
class AdminDocViewDefaultEngineOnly(TestDataMixin, AdminDocsTestCase):
def setUp(self):
self.client.force_login(self.superuser)
def test_template_detail_path_traversal(self):
cases = ['/etc/passwd', '../passwd']
for fpath in cases:
with self.subTest(path=fpath):
response = self.client.get(
reverse('django-admindocs-templates', args=[fpath]),
)
self.assertEqual(response.status_code, 400)
@override_settings(TEMPLATES=[{ @override_settings(TEMPLATES=[{
'NAME': 'ONE', 'NAME': 'ONE',
'BACKEND': 'django.template.backends.django.DjangoTemplates', 'BACKEND': 'django.template.backends.django.DjangoTemplates',