Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:fmccarthy:branches:Cloud:OpenStack:Pike
python-Django
CVE-2021-33203.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2021-33203.patch of Package python-Django
From e8533625cff17b41daf2352abadb74fa4209d911 Mon Sep 17 00:00:00 2001 From: Florian Apolloner <florian@apolloner.eu> Date: Tue, 25 May 2021 11:55:06 +0200 Subject: [PATCH] [2.2.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView. --- django/contrib/admindocs/views.py | 3 ++- tests/admin_docs/test_views.py | 16 ++++++++++++++++ 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/django/contrib/admindocs/views.py b/django/contrib/admindocs/views.py index 12f5863228e8..2ddd710edb80 100644 --- a/django/contrib/admindocs/views.py +++ b/django/contrib/admindocs/views.py @@ -15,6 +15,7 @@ from django.db import models from django.http import Http404 from django.template.engine import Engine from django.urls import get_mod_func, get_resolver, get_urlconf, reverse +from django.utils._os import safe_join from django.utils.decorators import method_decorator from django.utils.inspect import ( func_accepts_kwargs, func_accepts_var_args, func_has_no_args, @@ -347,7 +348,7 @@ class TemplateDetailView(BaseAdminDocsView): else: # This doesn't account for template loaders (#24128). for index, directory in enumerate(default_engine.dirs): - template_file = os.path.join(directory, template) + template_file = safe_join(directory, template) if os.path.exists(template_file): with open(template_file) as f: template_contents = f.read() diff --git a/tests/admin_docs/test_views.py b/tests/admin_docs/test_views.py index cf4f9359c7df..a528c07347ec 100644 --- a/tests/admin_docs/test_views.py +++ b/tests/admin_docs/test_views.py @@ -138,6 +138,22 @@ class AdminDocViewTests(TestDataMixin, AdminDocsTestCase): self.assertContains(response, 'View documentation') +@unittest.skipUnless(utils.docutils_is_available, 'no docutils installed.') +class AdminDocViewDefaultEngineOnly(TestDataMixin, AdminDocsTestCase): + + def setUp(self): + self.client.force_login(self.superuser) + + def test_template_detail_path_traversal(self): + cases = ['/etc/passwd', '../passwd'] + for fpath in cases: + with self.subTest(path=fpath): + response = self.client.get( + reverse('django-admindocs-templates', args=[fpath]), + ) + self.assertEqual(response.status_code, 400) + + @override_settings(TEMPLATES=[{ 'NAME': 'ONE', 'BACKEND': 'django.template.backends.django.DjangoTemplates',
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor