id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
24625	Arbitrary file inclusion in admindocs	Markus Holtermann	Markus Holtermann	"After consulting with the security team we're treating this issue as a hardening:

`django.contrib.admindocs` relies on Docutils to render the docstrings. Docutils has the two directives ""[http://docutils.sourceforge.net/docs/ref/rst/directives.html#raw-directive raw]"" or ""[http://docutils.sourceforge.net/docs/ref/rst/directives.html#include include]"" to include files. By installing a 3rd party app and not carefully reviewing model, view or other docstrings, an attacker can insert arbitrary HTML code posing as a XSS vulnerability as well as include arbitrary files, e.g. the Django project settings, potentially revealing the database password and secret key."	Bug	closed	contrib.admindocs	dev	Normal	fixed			Ready for checkin	1	0	0	0	0	0