Deprecated ALLOWED_INCLUDE_ROOTS.

This commit is contained in:
Aymeric Augustin 2014-12-14 22:59:51 +01:00
parent 84d7c93feb
commit 3dc01aaaaf
6 changed files with 26 additions and 18 deletions

View File

@ -232,14 +232,6 @@ details about the default templates:
* :ref:`http_forbidden_view` * :ref:`http_forbidden_view`
* :ref:`http_bad_request_view` * :ref:`http_bad_request_view`
Miscellaneous
=============
:setting:`ALLOWED_INCLUDE_ROOTS`
--------------------------------
This setting is required if you're using the :ttag:`ssi` template tag.
Python Options Python Options
============== ==============

View File

@ -87,6 +87,10 @@ details on these changes.
* The backwards compatibility shim to allow ``FormMixin.get_form()`` to be * The backwards compatibility shim to allow ``FormMixin.get_form()`` to be
defined with no default value for its ``form_class`` argument will be removed. defined with no default value for its ``form_class`` argument will be removed.
* The following settings will be removed:
* ``ALLOWED_INCLUDE_ROOTS``
* The backwards compatibility alias ``django.template.loader.BaseLoader`` will * The backwards compatibility alias ``django.template.loader.BaseLoader`` will
be removed. be removed.

View File

@ -123,6 +123,11 @@ ALLOWED_INCLUDE_ROOTS
Default: ``()`` (Empty tuple) Default: ``()`` (Empty tuple)
.. deprecated:: 1.8
Set the ``'allowed_include_roots'`` option in the :setting:`OPTIONS
<TEMPLATES-OPTIONS>` of a ``DjangoTemplates`` backend instead.
A tuple of strings representing allowed prefixes for the ``{% ssi %}`` template A tuple of strings representing allowed prefixes for the ``{% ssi %}`` template
tag. This is a security measure, so that template authors can't access files tag. This is a security measure, so that template authors can't access files
that they shouldn't be accessing. that they shouldn't be accessing.

View File

@ -996,8 +996,8 @@ file are evaluated as template code, within the current context::
{% ssi '/home/html/ljworld.com/includes/right_generic.html' parsed %} {% ssi '/home/html/ljworld.com/includes/right_generic.html' parsed %}
Note that if you use ``{% ssi %}``, you'll need to define Note that if you use ``{% ssi %}``, you'll need to define
:setting:`ALLOWED_INCLUDE_ROOTS` in your Django settings, as a security ``'allowed_include_roots'`` in the :setting:`OPTIONS <TEMPLATES-OPTIONS>` of
measure. your template engine, as a security measure.
.. note:: .. note::
With the :ttag:`ssi` tag and the ``parsed`` parameter With the :ttag:`ssi` tag and the ``parsed`` parameter

View File

@ -1014,6 +1014,14 @@ Related to the previous item, referencing views as strings in the ``url()``
function is deprecated. Pass the callable view as described in the previous function is deprecated. Pass the callable view as described in the previous
section instead. section instead.
Template-related settings
~~~~~~~~~~~~~~~~~~~~~~~~~
As a consequence of the multiple template engines refactor, several settings
are deprecated in favor of :setting:`TEMPLATES`:
* ``ALLOWED_INCLUDE_ROOTS``
``django.core.context_processors`` ``django.core.context_processors``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

View File

@ -470,28 +470,27 @@ class SSITests(SimpleTestCase):
def setUp(self): def setUp(self):
self.this_dir = os.path.dirname(os.path.abspath(upath(__file__))) self.this_dir = os.path.dirname(os.path.abspath(upath(__file__)))
self.ssi_dir = os.path.join(self.this_dir, "templates", "first") self.ssi_dir = os.path.join(self.this_dir, "templates", "first")
self.engine = Engine(allowed_include_roots=(self.ssi_dir,))
def render_ssi(self, path): def render_ssi(self, path):
# the path must exist for the test to be reliable # the path must exist for the test to be reliable
self.assertTrue(os.path.exists(path)) self.assertTrue(os.path.exists(path))
return template.Template('{%% ssi "%s" %%}' % path).render(Context()) return self.engine.from_string('{%% ssi "%s" %%}' % path).render(Context({}))
def test_allowed_paths(self): def test_allowed_paths(self):
acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html") acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)): self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
def test_relative_include_exploit(self): def test_relative_include_exploit(self):
""" """
May not bypass ALLOWED_INCLUDE_ROOTS with relative paths May not bypass allowed_include_roots with relative paths
e.g. if ALLOWED_INCLUDE_ROOTS = ("/var/www",), it should not be e.g. if allowed_include_roots = ("/var/www",), it should not be
possible to do {% ssi "/var/www/../../etc/passwd" %} possible to do {% ssi "/var/www/../../etc/passwd" %}
""" """
disallowed_paths = [ disallowed_paths = [
os.path.join(self.ssi_dir, "..", "ssi_include.html"), os.path.join(self.ssi_dir, "..", "ssi_include.html"),
os.path.join(self.ssi_dir, "..", "second", "test.html"), os.path.join(self.ssi_dir, "..", "second", "test.html"),
] ]
with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)): for disallowed_path in disallowed_paths:
for path in disallowed_paths: self.assertEqual(self.render_ssi(disallowed_path), '')
self.assertEqual(self.render_ssi(path), '')