mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-30 17:16:10 +00:00
Code Issues 32 Releases Wiki Activity

[1.6.x] Prevented arbitrary file inclusion with {% ssi %} tag and relative paths.

Browse Source 
Thanks Rainer Koirikivi for the report and draft patch.

This is a security fix; disclosure to follow shortly.

Backport of 7fe5b656c9 from master
This commit is contained in:
Tim Graham
2013-08-27 18:50:11 -04:00
parent ef3604a085
commit 536cc64240
2 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
django/template/defaulttags.py
View File

@@ -1,6 +1,7 @@
"""Default tags used by the template system, available to all templates."""
from __future__ import unicode_literals
import os
import sys
import re
from datetime import datetime
@@ -332,6 +333,7 @@ class RegroupNode(Node):
return ''
def include_is_allowed(filepath):
filepath = os.path.abspath(filepath)
for root in settings.ALLOWED_INCLUDE_ROOTS:
if filepath.startswith(root):
return True