include tag can access files outside of allowed directories
|Reported by:||Gary Wilson||Owned by:||Adrian Holovaty|
|Cc:||Triage Stage:||Ready for checkin|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Issue was brought up in django-dev: http://groups.google.com/group/django-developers/browse_frm/thread/28eac0b3787de93
It's looks like the root of the problem is in the
get_template_sources functions of both the
filesystem template loaders.
>>> from django.template.loaders import filesystem >>> list(filesystem.get_template_sources("etc/passwd")) ['/home/gdub/checkout/listitall/wishlist/templates/etc/passwd'] >>> list(filesystem.get_template_sources("/etc/passwd")) ['/etc/passwd']
get_template_sources functions make use of
os.path.join, which has a quirk with absolute paths. From the os.path docs about
"Join one or more path components intelligently. If any component is an absolute path, all previous components (on Windows, including the previous drive letter, if there was one) are thrown away, and joining continues."
>>> os.path.join('/my/template/dir', '/etc/passwd') '/etc/passwd'
Change History (19)
comment:1 follow-up: 4 Changed 10 years ago by
|Triage Stage:||Unreviewed → Accepted|
comment:5 Changed 10 years ago by
|Patch needs improvement:||set|
|Triage Stage:||Ready for checkin → Accepted|