File tree Expand file tree Collapse file tree 4 files changed +40
-3
lines changed Expand file tree Collapse file tree 4 files changed +40
-3
lines changed Original file line number Diff line number Diff line change 1616from django .http import Http404
1717from django .template .engine import Engine
1818from django .urls import get_mod_func , get_resolver , get_urlconf
19+ from django .utils ._os import safe_join
1920from django .utils .decorators import method_decorator
2021from django .utils .inspect import (
2122 func_accepts_kwargs , func_accepts_var_args , get_func_full_args ,
@@ -329,7 +330,7 @@ def get_context_data(self, **kwargs):
329330 else :
330331 # This doesn't account for template loaders (#24128).
331332 for index , directory in enumerate (default_engine .dirs ):
332- template_file = Path (directory ) / template
333+ template_file = Path (safe_join ( directory , template ))
333334 if template_file .exists ():
334335 template_contents = template_file .read_text ()
335336 else :
Original file line number Diff line number Diff line change @@ -6,4 +6,14 @@ Django 2.2.24 release notes
66
77Django 2.2.24 fixes two security issues in 2.2.23.
88
9- ...
9+ CVE-2021-33203: Potential directory traversal via ``admindocs``
10+ ===============================================================
11+
12+ Staff members could use the :mod:`~django.contrib.admindocs`
13+ ``TemplateDetailView`` view to check the existence of arbitrary files.
14+ Additionally, if (and only if) the default admindocs templates have been
15+ customized by the developers to also expose the file contents, then not only
16+ the existence but also the file contents would have been exposed.
17+
18+ As a mitigation, path sanitation is now applied and only files within the
19+ template root directories can be loaded.
Original file line number Diff line number Diff line change @@ -6,4 +6,14 @@ Django 3.1.12 release notes
66
77Django 3.1.12 fixes two security issues in 3.1.11.
88
9- ...
9+ CVE-2021-33203: Potential directory traversal via ``admindocs``
10+ ===============================================================
11+
12+ Staff members could use the :mod:`~django.contrib.admindocs`
13+ ``TemplateDetailView`` view to check the existence of arbitrary files.
14+ Additionally, if (and only if) the default admindocs templates have been
15+ customized by the developers to also expose the file contents, then not only
16+ the existence but also the file contents would have been exposed.
17+
18+ As a mitigation, path sanitation is now applied and only files within the
19+ template root directories can be loaded.
Original file line number Diff line number Diff line change @@ -137,6 +137,22 @@ def test_no_sites_framework(self):
137137 self .assertContains (response , 'View documentation' )
138138
139139
140+ @unittest .skipUnless (utils .docutils_is_available , 'no docutils installed.' )
141+ class AdminDocViewDefaultEngineOnly (TestDataMixin , AdminDocsTestCase ):
142+
143+ def setUp (self ):
144+ self .client .force_login (self .superuser )
145+
146+ def test_template_detail_path_traversal (self ):
147+ cases = ['/etc/passwd' , '../passwd' ]
148+ for fpath in cases :
149+ with self .subTest (path = fpath ):
150+
64F0
response = self .client .get (
151+ reverse ('django-admindocs-templates' , args = [fpath ]),
152+ )
153+ self .assertEqual (response .status_code , 400 )
154+
155+
140156@override_settings (TEMPLATES = [{
141157 'NAME' : 'ONE' ,
142158 'BACKEND' : 'django.template.backends.django.DjangoTemplates' ,
You can’t perform that action at this time.
0 commit comments