首頁 探索 說明
登入
CityApper
/
django
镜像来自 https://github.com/django/django
2
0
複刻 0
檔案 問題管理 0 Wiki
瀏覽代碼

Fixed #24625 -- Prevented arbitrary file inclusion in admindocs

Thanks Tim Graham for the review.
Markus Holtermann 10 年之前
父節點
4e7ed8d0d3
當前提交
09595b4fc6
共有 5 個文件被更改,包括 18 次插入1 次删除
分割檢視 顯示文件統計
  1. 3 1
      django/contrib/admindocs/utils.py
  2. 3 0
      docs/releases/1.8.1.txt
  3. 0 0
      tests/admin_docs/evilfile.txt
  4. 6 0
      tests/admin_docs/models.py
  5. 6 0
      tests/admin_docs/tests.py

+ 3 - 1
django/contrib/admindocs/utils.py
查看文件 

@@ -67,7 +67,9 @@ def parse_rst(text, default_reference_context, thing_being_parsed=None):
 
         'doctitle_xform': True,
 
         'inital_header_level': 3,
 
         "default_reference_context": default_reference_context,
 
-        "link_base": reverse('django-admindocs-docroot').rstrip('/')
 
+        "link_base": reverse('django-admindocs-docroot').rstrip('/'),
 
+        'raw_enabled': False,
 
+        'file_insertion_enabled': False,
 
     }
 
     if thing_being_parsed:
 
         thing_being_parsed = force_bytes("<%s>" % thing_being_parsed)

+ 3 - 0
docs/releases/1.8.1.txt
查看文件 

@@ -35,3 +35,6 @@ Bugfixes
 
 * Fixed a regression in the model detail view of
 
   :mod:`~django.contrib.admindocs` when a model has a reverse foreign key
 
   relation (:ticket:`24624`).
 
+
 
+* Prevented arbitrary file inclusions in :mod:`~django.contrib.admindocs`
 
+  (:ticket:`24625`).

+ 0 - 0
tests/admin_docs/evilfile.txt
查看文件


+ 6 - 0
tests/admin_docs/models.py
查看文件 

@@ -29,6 +29,12 @@ class Person(models.Model):
 
         Field storing :model:`myapp.Company` where the person works.
 
 
     (DESCRIPTION)
 
+
 
+    .. raw:: html
 
+        :file: admin_docs/evilfile.txt
 
+
 
+    .. include:: admin_docs/evilfile.txt
 
+
 
     """
 
     first_name = models.CharField(max_length=200, help_text="The person's first name")
 
     last_name = models.CharField(max_length=200, help_text="The person's last name")

+ 6 - 0
tests/admin_docs/tests.py
查看文件 

@@ -290,6 +290,12 @@ class TestModelDetailView(TestDataMixin, AdminDocsTestCase):
 
             "all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group"))
 
         )
 
 
+        # "raw" and "include" directives are disabled
 
+        self.assertContains(self.response, '<p>&quot;raw&quot; directive disabled.</p>',)
 
+        self.assertContains(self.response, '.. raw:: html\n    :file: admin_docs/evilfile.txt')
 
+        self.assertContains(self.response, '<p>&quot;include&quot; directive disabled.</p>',)
 
+        self.assertContains(self.response, '.. include:: admin_docs/evilfile.txt')
 
+
 
     def test_model_with_many_to_one(self):
 
         link = '<a class="reference external" href="/admindocs/models/%s/">%s</a>'
 
         response = self.client.get(