Deprecated ALLOWED_INCLUDE_ROOTS.
This commit is contained in:
parent
84d7c93feb
commit
3dc01aaaaf
|
@ -232,14 +232,6 @@ details about the default templates:
|
||||||
* :ref:`http_forbidden_view`
|
* :ref:`http_forbidden_view`
|
||||||
* :ref:`http_bad_request_view`
|
* :ref:`http_bad_request_view`
|
||||||
|
|
||||||
Miscellaneous
|
|
||||||
=============
|
|
||||||
|
|
||||||
:setting:`ALLOWED_INCLUDE_ROOTS`
|
|
||||||
--------------------------------
|
|
||||||
|
|
||||||
This setting is required if you're using the :ttag:`ssi` template tag.
|
|
||||||
|
|
||||||
Python Options
|
Python Options
|
||||||
==============
|
==============
|
||||||
|
|
||||||
|
|
|
@ -87,6 +87,10 @@ details on these changes.
|
||||||
* The backwards compatibility shim to allow ``FormMixin.get_form()`` to be
|
* The backwards compatibility shim to allow ``FormMixin.get_form()`` to be
|
||||||
defined with no default value for its ``form_class`` argument will be removed.
|
defined with no default value for its ``form_class`` argument will be removed.
|
||||||
|
|
||||||
|
* The following settings will be removed:
|
||||||
|
|
||||||
|
* ``ALLOWED_INCLUDE_ROOTS``
|
||||||
|
|
||||||
* The backwards compatibility alias ``django.template.loader.BaseLoader`` will
|
* The backwards compatibility alias ``django.template.loader.BaseLoader`` will
|
||||||
be removed.
|
be removed.
|
||||||
|
|
||||||
|
|
|
@ -123,6 +123,11 @@ ALLOWED_INCLUDE_ROOTS
|
||||||
|
|
||||||
Default: ``()`` (Empty tuple)
|
Default: ``()`` (Empty tuple)
|
||||||
|
|
||||||
|
.. deprecated:: 1.8
|
||||||
|
|
||||||
|
Set the ``'allowed_include_roots'`` option in the :setting:`OPTIONS
|
||||||
|
<TEMPLATES-OPTIONS>` of a ``DjangoTemplates`` backend instead.
|
||||||
|
|
||||||
A tuple of strings representing allowed prefixes for the ``{% ssi %}`` template
|
A tuple of strings representing allowed prefixes for the ``{% ssi %}`` template
|
||||||
tag. This is a security measure, so that template authors can't access files
|
tag. This is a security measure, so that template authors can't access files
|
||||||
that they shouldn't be accessing.
|
that they shouldn't be accessing.
|
||||||
|
|
|
@ -996,8 +996,8 @@ file are evaluated as template code, within the current context::
|
||||||
{% ssi '/home/html/ljworld.com/includes/right_generic.html' parsed %}
|
{% ssi '/home/html/ljworld.com/includes/right_generic.html' parsed %}
|
||||||
|
|
||||||
Note that if you use ``{% ssi %}``, you'll need to define
|
Note that if you use ``{% ssi %}``, you'll need to define
|
||||||
:setting:`ALLOWED_INCLUDE_ROOTS` in your Django settings, as a security
|
``'allowed_include_roots'`` in the :setting:`OPTIONS <TEMPLATES-OPTIONS>` of
|
||||||
measure.
|
your template engine, as a security measure.
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
With the :ttag:`ssi` tag and the ``parsed`` parameter
|
With the :ttag:`ssi` tag and the ``parsed`` parameter
|
||||||
|
|
|
@ -1014,6 +1014,14 @@ Related to the previous item, referencing views as strings in the ``url()``
|
||||||
function is deprecated. Pass the callable view as described in the previous
|
function is deprecated. Pass the callable view as described in the previous
|
||||||
section instead.
|
section instead.
|
||||||
|
|
||||||
|
Template-related settings
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
As a consequence of the multiple template engines refactor, several settings
|
||||||
|
are deprecated in favor of :setting:`TEMPLATES`:
|
||||||
|
|
||||||
|
* ``ALLOWED_INCLUDE_ROOTS``
|
||||||
|
|
||||||
``django.core.context_processors``
|
``django.core.context_processors``
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
|
|
@ -470,28 +470,27 @@ class SSITests(SimpleTestCase):
|
||||||
def setUp(self):
|
def setUp(self):
|
||||||
self.this_dir = os.path.dirname(os.path.abspath(upath(__file__)))
|
self.this_dir = os.path.dirname(os.path.abspath(upath(__file__)))
|
||||||
self.ssi_dir = os.path.join(self.this_dir, "templates", "first")
|
self.ssi_dir = os.path.join(self.this_dir, "templates", "first")
|
||||||
|
self.engine = Engine(allowed_include_roots=(self.ssi_dir,))
|
||||||
|
|
||||||
def render_ssi(self, path):
|
def render_ssi(self, path):
|
||||||
# the path must exist for the test to be reliable
|
# the path must exist for the test to be reliable
|
||||||
self.assertTrue(os.path.exists(path))
|
self.assertTrue(os.path.exists(path))
|
||||||
return template.Template('{%% ssi "%s" %%}' % path).render(Context())
|
return self.engine.from_string('{%% ssi "%s" %%}' % path).render(Context({}))
|
||||||
|
|
||||||
def test_allowed_paths(self):
|
def test_allowed_paths(self):
|
||||||
acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
|
acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
|
||||||
with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
|
self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
|
||||||
self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
|
|
||||||
|
|
||||||
def test_relative_include_exploit(self):
|
def test_relative_include_exploit(self):
|
||||||
"""
|
"""
|
||||||
May not bypass ALLOWED_INCLUDE_ROOTS with relative paths
|
May not bypass allowed_include_roots with relative paths
|
||||||
|
|
||||||
e.g. if ALLOWED_INCLUDE_ROOTS = ("/var/www",), it should not be
|
e.g. if allowed_include_roots = ("/var/www",), it should not be
|
||||||
possible to do {% ssi "/var/www/../../etc/passwd" %}
|
possible to do {% ssi "/var/www/../../etc/passwd" %}
|
||||||
"""
|
"""
|
||||||
disallowed_paths = [
|
disallowed_paths = [
|
||||||
os.path.join(self.ssi_dir, "..", "ssi_include.html"),
|
os.path.join(self.ssi_dir, "..", "ssi_include.html"),
|
||||||
os.path.join(self.ssi_dir, "..", "second", "test.html"),
|
os.path.join(self.ssi_dir, "..", "second", "test.html"),
|
||||||
]
|
]
|
||||||
with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
|
for disallowed_path in disallowed_paths:
|
||||||
for path in disallowed_paths:
|
self.assertEqual(self.render_ssi(disallowed_path), '')
|
||||||
self.assertEqual(self.render_ssi(path), '')
|
|
||||||
|
|
Loading…
Reference in New Issue