[1.6.x] Prevented arbitrary file inclusion with {% ssi %} tag and relative paths.

"""Default tags used by the template system, available to all templates."""

from __future__ import unicode_literals

import os

import sys

import re

from datetime import datetime

        return ''

def include_is_allowed(filepath):

    filepath = os.path.abspath(filepath)

    for root in settings.ALLOWED_INCLUDE_ROOTS:

        if filepath.startswith(root):

            return True

            template.Template('{% include "child" only %}').render(ctx),

            'none'

        )

class SSITests(TestCase):

    def setUp(self):

        self.this_dir = os.path.dirname(os.path.abspath(upath(__file__)))

        self.ssi_dir = os.path.join(self.this_dir, "templates", "first")

    def render_ssi(self, path):

        # the path must exist for the test to be reliable

        self.assertTrue(os.path.exists(path))

        return template.Template('{%% ssi "%s" %%}' % path).render(Context())

    def test_allowed_paths(self):

        acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")

        with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):

            self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')

    def test_relative_include_exploit(self):

        """

        May not bypass ALLOWED_INCLUDE_ROOTS with relative paths

        e.g. if ALLOWED_INCLUDE_ROOTS = ("/var/www",), it should not be

        possible to do {% ssi "/var/www/../../etc/passwd" %}

        """

        disallowed_paths = [

            os.path.join(self.ssi_dir, "..", "ssi_include.html"),

            os.path.join(self.ssi_dir, "..", "second", "test.html"),

        ]

        with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):

            for path in disallowed_paths:

                self.assertEqual(self.render_ssi(path), '')