Skip to content

Commit

Permalink
[3.2.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via ad…
Browse files Browse the repository at this point in the history
…mindocs' TemplateDetailView.
  • Loading branch information
apollo13 authored and carltongibson committed Jun 2, 2021
1 parent aed1409 commit dfaba12
Show file tree
Hide file tree
Showing 5 changed files with 52 additions and 3 deletions.
3 changes: 2 additions & 1 deletion django/contrib/admindocs/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@
from django.http import Http404
from django.template.engine import Engine
from django.urls import get_mod_func, get_resolver, get_urlconf
from django.utils._os import safe_join
from django.utils.decorators import method_decorator
from django.utils.inspect import (
func_accepts_kwargs, func_accepts_var_args, get_func_full_args,
Expand Down Expand Up @@ -329,7 +330,7 @@ def get_context_data(self, **kwargs):
else:
# This doesn't account for template loaders (#24128).
for index, directory in enumerate(default_engine.dirs):
template_file = Path(directory) / template
template_file = Path(safe_join(directory, template))
if template_file.exists():
template_contents = template_file.read_text()
else:
Expand Down
12 changes: 11 additions & 1 deletion docs/releases/2.2.24.txt
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,14 @@ Django 2.2.24 release notes

Django 2.2.24 fixes two security issues in 2.2.23.

...
CVE-2021-33203: Potential directory traversal via ``admindocs``
===============================================================

Staff members could use the :mod:`~django.contrib.admindocs`
``TemplateDetailView`` view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.

As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.
12 changes: 11 additions & 1 deletion docs/releases/3.1.12.txt
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,14 @@ Django 3.1.12 release notes

Django 3.1.12 fixes two security issues in 3.1.11.

...
CVE-2021-33203: Potential directory traversal via ``admindocs``
===============================================================

Staff members could use the :mod:`~django.contrib.admindocs`
``TemplateDetailView`` view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.

As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.
12 changes: 12 additions & 0 deletions docs/releases/3.2.4.txt
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,18 @@ Django 3.2.4 release notes

Django 3.2.4 fixes two security issues and several bugs in 3.2.3.

CVE-2021-33203: Potential directory traversal via ``admindocs``
===============================================================

Staff members could use the :mod:`~django.contrib.admindocs`
``TemplateDetailView`` view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.

As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.

Bugfixes
========

Expand Down
16 changes: 16 additions & 0 deletions tests/admin_docs/test_views.py
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,22 @@ def test_no_sites_framework(self):
self.assertContains(response, 'View documentation')


@unittest.skipUnless(utils.docutils_is_available, 'no docutils installed.')
class AdminDocViewDefaultEngineOnly(TestDataMixin, AdminDocsTestCase):

def setUp(self):
self.client.force_login(self.superuser)

def test_template_detail_path_traversal(self):
cases = ['/etc/passwd', '../passwd']
for fpath in cases:
with self.subTest(path=fpath):
response = self.client.get(
reverse('django-admindocs-templates', args=[fpath]),
)
self.assertEqual(response.status_code, 400)


@override_settings(TEMPLATES=[{
'NAME': 'ONE',
'BACKEND': 'django.template.backends.django.DjangoTemplates',
Expand Down

0 comments on commit dfaba12

Please sign in to comment.