diff --git a/django/template/loaders/app_directories.py b/django/template/loaders/app_directories.py index c520689644..f0f4b1a70e 100644 --- a/django/template/loaders/app_directories.py +++ b/django/template/loaders/app_directories.py @@ -1,9 +1,14 @@ -# Wrapper for loading templates from "template" directories in installed app packages. +""" +Wrapper for loading templates from "template" directories in INSTALLED_APPS +packages. +""" + +import os from django.conf import settings from django.core.exceptions import ImproperlyConfigured from django.template import TemplateDoesNotExist -import os +from django.utils._os import safe_join # At compile time, cache the directories to search. app_template_dirs = [] @@ -28,8 +33,14 @@ for app in settings.INSTALLED_APPS: app_template_dirs = tuple(app_template_dirs) def get_template_sources(template_name, template_dirs=None): - for template_dir in app_template_dirs: - yield os.path.join(template_dir, template_name) + if not template_dirs: + template_dirs = app_template_dirs + for template_dir in template_dirs: + try: + yield safe_join(template_dir, template_name) + except ValueError: + # The joined path was located outside of template_dir. + pass def load_template_source(template_name, template_dirs=None): for filepath in get_template_sources(template_name, template_dirs): diff --git a/django/template/loaders/filesystem.py b/django/template/loaders/filesystem.py index 3ba4625cda..9997eb9a54 100644 --- a/django/template/loaders/filesystem.py +++ b/django/template/loaders/filesystem.py @@ -1,14 +1,20 @@ -# Wrapper for loading templates from the filesystem. +""" +Wrapper for loading templates from the filesystem. +""" from django.conf import settings from django.template import TemplateDoesNotExist -import os +from django.utils._os import safe_join def get_template_sources(template_name, template_dirs=None): if not template_dirs: template_dirs = settings.TEMPLATE_DIRS for template_dir in template_dirs: - yield os.path.join(template_dir, template_name) + try: + yield safe_join(template_dir, template_name) + except ValueError: + # The joined path was located outside of template_dir. + pass def load_template_source(template_name, template_dirs=None): tried = [] diff --git a/django/utils/_os.py b/django/utils/_os.py new file mode 100644 index 0000000000..f7114af291 --- /dev/null +++ b/django/utils/_os.py @@ -0,0 +1,23 @@ +from os.path import join, normcase, abspath, sep + +def safe_join(base, *paths): + """ + Join one or more path components to the base path component intelligently. + Return a normalized, absolute version of the final path. + + The final path must be located inside of the base path component (otherwise + a ValueError is raised). + """ + # We need to use normcase to ensure we don't false-negative on case + # insensitive operating systems (like Windows). + final_path = normcase(abspath(join(base, *paths))) + base_path = normcase(abspath(base)) + base_path_len = len(base_path) + # Ensure final_path starts with base_path and that the next character after + # the final path is os.sep (or nothing, in which case final_path must be + # equal to base_path). + if not final_path.startswith(base_path) \ + or final_path[base_path_len:base_path_len+1] not in ('', sep): + raise ValueError('the joined path is located outside of the base path' + ' component') + return final_path diff --git a/tests/regressiontests/templates/tests.py b/tests/regressiontests/templates/tests.py index e72455d3b9..0f7ac2f352 100644 --- a/tests/regressiontests/templates/tests.py +++ b/tests/regressiontests/templates/tests.py @@ -6,13 +6,17 @@ if __name__ == '__main__': # before importing 'template'. settings.configure() +import os +import unittest +from datetime import datetime, timedelta + from django import template from django.template import loader +from django.template.loaders import app_directories, filesystem from django.utils.translation import activate, deactivate, install, ugettext as _ from django.utils.tzinfo import LocalTimezone -from datetime import datetime, timedelta + from unicode import unicode_tests -import unittest # Some other tests we would like to run __test__ = { @@ -75,6 +79,46 @@ class UTF8Class: return u'ŠĐĆŽćžšđ'.encode('utf-8') class Templates(unittest.TestCase): + def test_loaders_security(self): + def test_template_sources(path, template_dirs, expected_sources): + # Fix expected sources so they are normcased and abspathed + expected_sources = [os.path.normcase(os.path.abspath(s)) for s in expected_sources] + # Test app_directories loader + sources = app_directories.get_template_sources(path, template_dirs) + self.assertEqual(list(sources), expected_sources) + # Test filesystem loader + sources = filesystem.get_template_sources(path, template_dirs) + self.assertEqual(list(sources), expected_sources) + + template_dirs = ['/dir1', '/dir2'] + test_template_sources('index.html', template_dirs, + ['/dir1/index.html', '/dir2/index.html']) + test_template_sources('/etc/passwd', template_dirs, + []) + test_template_sources('etc/passwd', template_dirs, + ['/dir1/etc/passwd', '/dir2/etc/passwd']) + test_template_sources('../etc/passwd', template_dirs, + []) + test_template_sources('../../../etc/passwd', template_dirs, + []) + test_template_sources('/dir1/index.html', template_dirs, + ['/dir1/index.html']) + test_template_sources('../dir2/index.html', template_dirs, + ['/dir2/index.html']) + test_template_sources('/dir1blah', template_dirs, + []) + test_template_sources('../dir1blah', template_dirs, + []) + + # Case insensitive tests (for win32). Not run unless we're on + # a case insensitive operating system. + if os.path.normcase('/TEST') == os.path.normpath('/test'): + template_dirs = ['/dir1', '/DIR2'] + test_template_sources('index.html', template_dirs, + ['/dir1/index.html', '/dir2/index.html']) + test_template_sources('/DIR1/index.HTML', template_dirs, + ['/dir1/index.html']) + def test_templates(self): # NOW and NOW_tz are used by timesince tag tests. NOW = datetime.now()