Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #4952 -- Fixed the `get_template_sources` functions of the `app…

…_directories` and `filesystem` template loaders to not return paths outside of given template directories. Both functions now make use of a new `safe_join` utility function. Thanks to SmileyChris for help with the patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@5750 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 304381616f89745c2b52ba793e5b23184c4788bb 1 parent 7a16a1d
Gary Wilson Jr. authored July 23, 2007
19  django/template/loaders/app_directories.py
... ...
@@ -1,9 +1,14 @@
1  
-# Wrapper for loading templates from "template" directories in installed app packages.
  1
+"""
  2
+Wrapper for loading templates from "template" directories in INSTALLED_APPS
  3
+packages.
  4
+"""
  5
+
  6
+import os
2 7
 
3 8
 from django.conf import settings
4 9
 from django.core.exceptions import ImproperlyConfigured
5 10
 from django.template import TemplateDoesNotExist
6  
-import os
  11
+from django.utils._os import safe_join
7 12
 
8 13
 # At compile time, cache the directories to search.
9 14
 app_template_dirs = []
@@ -28,8 +33,14 @@
28 33
 app_template_dirs = tuple(app_template_dirs)
29 34
 
30 35
 def get_template_sources(template_name, template_dirs=None):
31  
-    for template_dir in app_template_dirs:
32  
-        yield os.path.join(template_dir, template_name)
  36
+    if not template_dirs:
  37
+        template_dirs = app_template_dirs
  38
+    for template_dir in template_dirs:
  39
+        try:
  40
+            yield safe_join(template_dir, template_name)
  41
+        except ValueError:
  42
+            # The joined path was located outside of template_dir.
  43
+            pass
33 44
 
34 45
 def load_template_source(template_name, template_dirs=None):
35 46
     for filepath in get_template_sources(template_name, template_dirs):
12  django/template/loaders/filesystem.py
... ...
@@ -1,14 +1,20 @@
1  
-# Wrapper for loading templates from the filesystem.
  1
+"""
  2
+Wrapper for loading templates from the filesystem.
  3
+"""
2 4
 
3 5
 from django.conf import settings
4 6
 from django.template import TemplateDoesNotExist
5  
-import os
  7
+from django.utils._os import safe_join
6 8
 
7 9
 def get_template_sources(template_name, template_dirs=None):
8 10
     if not template_dirs:
9 11
         template_dirs = settings.TEMPLATE_DIRS
10 12
     for template_dir in template_dirs:
11  
-        yield os.path.join(template_dir, template_name)
  13
+        try:
  14
+            yield safe_join(template_dir, template_name)
  15
+        except ValueError:
  16
+            # The joined path was located outside of template_dir.
  17
+            pass
12 18
 
13 19
 def load_template_source(template_name, template_dirs=None):
14 20
     tried = []
23  django/utils/_os.py
... ...
@@ -0,0 +1,23 @@
  1
+from os.path import join, normcase, abspath, sep
  2
+
  3
+def safe_join(base, *paths):
  4
+    """
  5
+    Join one or more path components to the base path component intelligently.
  6
+    Return a normalized, absolute version of the final path.
  7
+
  8
+    The final path must be located inside of the base path component (otherwise
  9
+    a ValueError is raised).
  10
+    """
  11
+    # We need to use normcase to ensure we don't false-negative on case
  12
+    # insensitive operating systems (like Windows).
  13
+    final_path = normcase(abspath(join(base, *paths)))
  14
+    base_path = normcase(abspath(base))
  15
+    base_path_len = len(base_path)
  16
+    # Ensure final_path starts with base_path and that the next character after
  17
+    # the final path is os.sep (or nothing, in which case final_path must be
  18
+    # equal to base_path).
  19
+    if not final_path.startswith(base_path) \
  20
+       or final_path[base_path_len:base_path_len+1] not in ('', sep):
  21
+        raise ValueError('the joined path is located outside of the base path'
  22
+                         ' component')
  23
+    return final_path
48  tests/regressiontests/templates/tests.py
@@ -6,13 +6,17 @@
6 6
     # before importing 'template'.
7 7
     settings.configure()
8 8
 
  9
+import os
  10
+import unittest
  11
+from datetime import datetime, timedelta
  12
+
9 13
 from django import template
10 14
 from django.template import loader
  15
+from django.template.loaders import app_directories, filesystem
11 16
 from django.utils.translation import activate, deactivate, install, ugettext as _
12 17
 from django.utils.tzinfo import LocalTimezone
13  
-from datetime import datetime, timedelta
  18
+
14 19
 from unicode import unicode_tests
15  
-import unittest
16 20
 
17 21
 # Some other tests we would like to run
18 22
 __test__ = {
@@ -75,6 +79,46 @@ def __str__(self):
75 79
         return u'ŠĐĆŽćžšđ'.encode('utf-8')
76 80
 
77 81
 class Templates(unittest.TestCase):
  82
+    def test_loaders_security(self):
  83
+        def test_template_sources(path, template_dirs, expected_sources):
  84
+            # Fix expected sources so they are normcased and abspathed
  85
+            expected_sources = [os.path.normcase(os.path.abspath(s)) for s in expected_sources]
  86
+            # Test app_directories loader
  87
+            sources = app_directories.get_template_sources(path, template_dirs)
  88
+            self.assertEqual(list(sources), expected_sources)
  89
+            # Test filesystem loader
  90
+            sources = filesystem.get_template_sources(path, template_dirs)
  91
+            self.assertEqual(list(sources), expected_sources)
  92
+
  93
+        template_dirs = ['/dir1', '/dir2']
  94
+        test_template_sources('index.html', template_dirs,
  95
+                              ['/dir1/index.html', '/dir2/index.html'])
  96
+        test_template_sources('/etc/passwd', template_dirs,
  97
+                              [])
  98
+        test_template_sources('etc/passwd', template_dirs,
  99
+                              ['/dir1/etc/passwd', '/dir2/etc/passwd'])
  100
+        test_template_sources('../etc/passwd', template_dirs,
  101
+                              [])
  102
+        test_template_sources('../../../etc/passwd', template_dirs,
  103
+                              [])
  104
+        test_template_sources('/dir1/index.html', template_dirs,
  105
+                              ['/dir1/index.html'])
  106
+        test_template_sources('../dir2/index.html', template_dirs,
  107
+                              ['/dir2/index.html'])
  108
+        test_template_sources('/dir1blah', template_dirs,
  109
+                              [])
  110
+        test_template_sources('../dir1blah', template_dirs,
  111
+                              [])
  112
+
  113
+        # Case insensitive tests (for win32). Not run unless we're on
  114
+        # a case insensitive operating system.
  115
+        if os.path.normcase('/TEST') == os.path.normpath('/test'):
  116
+            template_dirs = ['/dir1', '/DIR2']
  117
+            test_template_sources('index.html', template_dirs,
  118
+                                  ['/dir1/index.html', '/dir2/index.html'])
  119
+            test_template_sources('/DIR1/index.HTML', template_dirs,
  120
+                                  ['/dir1/index.html'])
  121
+
78 122
     def test_templates(self):
79 123
         # NOW and NOW_tz are used by timesince tag tests.
80 124
         NOW = datetime.now()

0 notes on commit 3043816

Please sign in to comment.
Something went wrong with that request. Please try again.