diff --git a/django/contrib/admindocs/utils.py b/django/contrib/admindocs/utils.py
index f366025f891..5aaf37bb9a6 100644
--- a/django/contrib/admindocs/utils.py
+++ b/django/contrib/admindocs/utils.py
@@ -67,7 +67,9 @@ def parse_rst(text, default_reference_context, thing_being_parsed=None):
'doctitle_xform': True,
'inital_header_level': 3,
"default_reference_context": default_reference_context,
- "link_base": reverse('django-admindocs-docroot').rstrip('/')
+ "link_base": reverse('django-admindocs-docroot').rstrip('/'),
+ 'raw_enabled': False,
+ 'file_insertion_enabled': False,
}
if thing_being_parsed:
thing_being_parsed = force_bytes("<%s>" % thing_being_parsed)
diff --git a/docs/releases/1.8.1.txt b/docs/releases/1.8.1.txt
index 9b18dea176a..d942d32842f 100644
--- a/docs/releases/1.8.1.txt
+++ b/docs/releases/1.8.1.txt
@@ -35,3 +35,6 @@ Bugfixes
* Fixed a regression in the model detail view of
:mod:`~django.contrib.admindocs` when a model has a reverse foreign key
relation (:ticket:`24624`).
+
+* Prevented arbitrary file inclusions in :mod:`~django.contrib.admindocs`
+ (:ticket:`24625`).
diff --git a/tests/admin_docs/evilfile.txt b/tests/admin_docs/evilfile.txt
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/tests/admin_docs/models.py b/tests/admin_docs/models.py
index 7e8b6c37e84..89a9e8c98ef 100644
--- a/tests/admin_docs/models.py
+++ b/tests/admin_docs/models.py
@@ -29,6 +29,12 @@ class Person(models.Model):
Field storing :model:`myapp.Company` where the person works.
(DESCRIPTION)
+
+ .. raw:: html
+ :file: admin_docs/evilfile.txt
+
+ .. include:: admin_docs/evilfile.txt
+
"""
first_name = models.CharField(max_length=200, help_text="The person's first name")
last_name = models.CharField(max_length=200, help_text="The person's last name")
diff --git a/tests/admin_docs/tests.py b/tests/admin_docs/tests.py
index b4f78477df9..a59443adf4d 100644
--- a/tests/admin_docs/tests.py
+++ b/tests/admin_docs/tests.py
@@ -290,6 +290,12 @@ class TestModelDetailView(TestDataMixin, AdminDocsTestCase):
"all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group"))
)
+ # "raw" and "include" directives are disabled
+ self.assertContains(self.response, '"raw" directive disabled.
',)
+ self.assertContains(self.response, '.. raw:: html\n :file: admin_docs/evilfile.txt')
+ self.assertContains(self.response, '"include" directive disabled.
',)
+ self.assertContains(self.response, '.. include:: admin_docs/evilfile.txt')
+
def test_model_with_many_to_one(self):
link = '%s'
response = self.client.get(