From 7fe5b656c9d4f54d70b83edaa6225115805a2325 Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Tue, 27 Aug 2013 18:50:11 -0400
Subject: [PATCH] Prevented arbitrary file inclusion with {% ssi %} tag and
 relative paths.

Thanks Rainer Koirikivi for the report and draft patch.

This is a security fix; disclosure to follow shortly.
---
 django/template/defaulttags.py |  2 ++
 tests/template_tests/tests.py  | 31 +++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/django/template/defaulttags.py b/django/template/defaulttags.py
index 0eae48eb87f..798323c2cfe 100644
--- a/django/template/defaulttags.py
+++ b/django/template/defaulttags.py
@@ -1,6 +1,7 @@
 """Default tags used by the template system, available to all templates."""
 from __future__ import unicode_literals
 
+import os
 import sys
 import re
 from datetime import datetime
@@ -328,6 +329,7 @@ class RegroupNode(Node):
         return ''
 
 def include_is_allowed(filepath):
+    filepath = os.path.abspath(filepath)
     for root in settings.ALLOWED_INCLUDE_ROOTS:
         if filepath.startswith(root):
             return True
diff --git a/tests/template_tests/tests.py b/tests/template_tests/tests.py
index 7fb194fe38d..2551d438901 100644
--- a/tests/template_tests/tests.py
+++ b/tests/template_tests/tests.py
@@ -1902,3 +1902,34 @@ class RequestContextTests(unittest.TestCase):
         # The stack should now contain 3 items:
         # [builtins, supplied context, context processor]
         self.assertEqual(len(ctx.dicts), 3)
+
+
+class SSITests(TestCase):
+    def setUp(self):
+        self.this_dir = os.path.dirname(os.path.abspath(upath(__file__)))
+        self.ssi_dir = os.path.join(self.this_dir, "templates", "first")
+
+    def render_ssi(self, path):
+        # the path must exist for the test to be reliable
+        self.assertTrue(os.path.exists(path))
+        return template.Template('{%% ssi "%s" %%}' % path).render(Context())
+
+    def test_allowed_paths(self):
+        acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
+        with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
+            self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
+
+    def test_relative_include_exploit(self):
+        """
+        May not bypass ALLOWED_INCLUDE_ROOTS with relative paths
+
+        e.g. if ALLOWED_INCLUDE_ROOTS = ("/var/www",), it should not be
+        possible to do {% ssi "/var/www/../../etc/passwd" %}
+        """
+        disallowed_paths = [
+            os.path.join(self.ssi_dir, "..", "ssi_include.html"),
+            os.path.join(self.ssi_dir, "..", "second", "test.html"),
+        ]
+        with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
+            for path in disallowed_paths:
+                self.assertEqual(self.render_ssi(path), '')