Skip to content
Permalink
Browse files

[1.4.x] Prevented arbitrary file inclusion with {% ssi %} tag and rel…

…ative paths.

Thanks Rainer Koirikivi for the report and draft patch.

This is a security fix; disclosure to follow shortly.

Backport of 7fe5b65 from master
  • Loading branch information...
timgraham committed Aug 28, 2013
1 parent 9ab7ed9 commit 87d2750b39f6f2d54b7047225521a44dcd37e896
Showing with 33 additions and 0 deletions.
  1. +2 −0 django/template/defaulttags.py
  2. +31 −0 tests/regressiontests/templates/tests.py
@@ -1,5 +1,6 @@
"""Default tags used by the template system, available to all templates."""

import os
import sys
import re
from datetime import datetime
@@ -309,6 +310,7 @@ def render(self, context):
return ''

def include_is_allowed(filepath):
filepath = os.path.abspath(filepath)
for root in settings.ALLOWED_INCLUDE_ROOTS:
if filepath.startswith(root):
return True
@@ -1764,3 +1764,34 @@ def test_include_only(self):
template.Template('{% include "child" only %}').render(ctx),
'none'
)


class SSITests(unittest.TestCase):
def setUp(self):
self.this_dir = os.path.dirname(os.path.abspath(__file__))
self.ssi_dir = os.path.join(self.this_dir, "templates", "first")

def render_ssi(self, path):
# the path must exist for the test to be reliable
self.assertTrue(os.path.exists(path))
return template.Template('{%% ssi %s %%}' % path).render(Context())

def test_allowed_paths(self):
acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')

def test_relative_include_exploit(self):
"""
May not bypass ALLOWED_INCLUDE_ROOTS with relative paths
e.g. if ALLOWED_INCLUDE_ROOTS = ("/var/www",), it should not be
possible to do {% ssi "/var/www/../../etc/passwd" %}
"""
disallowed_paths = [
os.path.join(self.ssi_dir, "..", "ssi_include.html"),
os.path.join(self.ssi_dir, "..", "second", "test.html"),
]
with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
for path in disallowed_paths:
self.assertEqual(self.render_ssi(path), '')

0 comments on commit 87d2750

Please sign in to comment.
You can’t perform that action at this time.