p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fixed #24625 -- Prevented arbitrary file inclusion in admindocs 

Thanks Tim Graham for the review.
This commit is contained in:
Markus Holtermann 2015-03-31 15:47:06 +02:00
parent 4e7ed8d0d3
commit 09595b4fc6
5 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
django/contrib/admindocs/utils.py
View File

@ -67,7 +67,9 @@ def parse_rst(text, default_reference_context, thing_being_parsed=None):
'doctitle_xform': True, 'doctitle_xform': True,
'inital_header_level': 3, 'inital_header_level': 3,
"default_reference_context": default_reference_context, "default_reference_context": default_reference_context,
"link_base": reverse('django-admindocs-docroot').rstrip('/') "link_base": reverse('django-admindocs-docroot').rstrip('/'),
'raw_enabled': False,
'file_insertion_enabled': False,
} }
if thing_being_parsed: if thing_being_parsed:
thing_being_parsed = force_bytes("<%s>" % thing_being_parsed) thing_being_parsed = force_bytes("<%s>" % thing_being_parsed)

3
docs/releases/1.8.1.txt
View File

@ -35,3 +35,6 @@ Bugfixes
* Fixed a regression in the model detail view of * Fixed a regression in the model detail view of
:mod:`~django.contrib.admindocs` when a model has a reverse foreign key :mod:`~django.contrib.admindocs` when a model has a reverse foreign key
relation (:ticket:`24624`). relation (:ticket:`24624`).
* Prevented arbitrary file inclusions in :mod:`~django.contrib.admindocs`
(:ticket:`24625`).

0
tests/admin_docs/evilfile.txt Normal file
View File

6
tests/admin_docs/models.py
View File

@ -29,6 +29,12 @@ class Person(models.Model):
Field storing :model:`myapp.Company` where the person works. Field storing :model:`myapp.Company` where the person works.
(DESCRIPTION) (DESCRIPTION)
.. raw:: html
:file: admin_docs/evilfile.txt
.. include:: admin_docs/evilfile.txt
""" """
first_name = models.CharField(max_length=200, help_text="The person's first name") first_name = models.CharField(max_length=200, help_text="The person's first name")
last_name = models.CharField(max_length=200, help_text="The person's last name") last_name = models.CharField(max_length=200, help_text="The person's last name")

6
tests/admin_docs/tests.py
View File

@ -290,6 +290,12 @@ class TestModelDetailView(TestDataMixin, AdminDocsTestCase):
"all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group")) "all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group"))
) )
# "raw" and "include" directives are disabled
self.assertContains(self.response, '<p>&quot;raw&quot; directive disabled.</p>',)
self.assertContains(self.response, '.. raw:: html\n :file: admin_docs/evilfile.txt')
self.assertContains(self.response, '<p>&quot;include&quot; directive disabled.</p>',)
self.assertContains(self.response, '.. include:: admin_docs/evilfile.txt')
def test_model_with_many_to_one(self): def test_model_with_many_to_one(self):
link = '<a class="reference external" href="/admindocs/models/%s/">%s</a>' link = '<a class="reference external" href="/admindocs/models/%s/">%s</a>'
response = self.client.get( response = self.client.get(