Commit 09595b4f authored by Markus Holtermann's avatar Markus Holtermann
Browse files

Fixed #24625 -- Prevented arbitrary file inclusion in admindocs 

Thanks Tim Graham for the review.
parent 4e7ed8d0

django/contrib/admindocs/utils.py

+3 −1
Original line number Diff line number Diff line
@@ -67,7 +67,9 @@ def parse_rst(text, default_reference_context, thing_being_parsed=None): 
        'doctitle_xform': True,

        'inital_header_level': 3,

        "default_reference_context": default_reference_context,

        "link_base": reverse('django-admindocs-docroot').rstrip('/')

        "link_base": reverse('django-admindocs-docroot').rstrip('/'),

        'raw_enabled': False,

        'file_insertion_enabled': False,

    }

    if thing_being_parsed:

        thing_being_parsed = force_bytes("<%s>" % thing_being_parsed)

docs/releases/1.8.1.txt

+3 −0
Original line number Diff line number Diff line
@@ -35,3 +35,6 @@ Bugfixes 
* Fixed a regression in the model detail view of

  :mod:`~django.contrib.admindocs` when a model has a reverse foreign key

  relation (:ticket:`24624`).



* Prevented arbitrary file inclusions in :mod:`~django.contrib.admindocs`

  (:ticket:`24625`).

tests/admin_docs/evilfile.txt

0 → 100644
+0 −0

Empty file added.

tests/admin_docs/models.py

+6 −0
Original line number Diff line number Diff line
@@ -29,6 +29,12 @@ class Person(models.Model): 
        Field storing :model:`myapp.Company` where the person works.



    (DESCRIPTION)



    .. raw:: html

        :file: admin_docs/evilfile.txt



    .. include:: admin_docs/evilfile.txt



    """

    first_name = models.CharField(max_length=200, help_text="The person's first name")

    last_name = models.CharField(max_length=200, help_text="The person's last name")

tests/admin_docs/tests.py

+6 −0
Original line number Diff line number Diff line
@@ -290,6 +290,12 @@ class TestModelDetailView(TestDataMixin, AdminDocsTestCase): 
            "all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group"))

        )



        # "raw" and "include" directives are disabled

        self.assertContains(self.response, '<p>&quot;raw&quot; directive disabled.</p>',)

        self.assertContains(self.response, '.. raw:: html\n    :file: admin_docs/evilfile.txt')

        self.assertContains(self.response, '<p>&quot;include&quot; directive disabled.</p>',)

        self.assertContains(self.response, '.. include:: admin_docs/evilfile.txt')



    def test_model_with_many_to_one(self):

        link = '<a class="reference external" href="/admindocs/models/%s/">%s</a>'

        response = self.client.get(