mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-04 19:08:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Fixed #24625 -- Prevented arbitrary file inclusion in admindocs

Browse source 
Thanks Tim Graham for the review.
This commit is contained in:
Markus Holtermann 2015-03-31 15:47:06 +02:00
parent 4e7ed8d0d3
commit 09595b4fc6
5 changed files with 18 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

0
tests/admin_docs/evilfile.txt Normal file
View file

6
tests/admin_docs/models.py
View file

@ -29,6 +29,12 @@ class Person(models.Model):
Field storing :model:`myapp.Company` where the person works.
(DESCRIPTION)
.. raw:: html
:file: admin_docs/evilfile.txt
.. include:: admin_docs/evilfile.txt
"""
first_name = models.CharField(max_length=200, help_text="The person's first name")
last_name = models.CharField(max_length=200, help_text="The person's last name")

6
tests/admin_docs/tests.py
View file

@ -290,6 +290,12 @@ class TestModelDetailView(TestDataMixin, AdminDocsTestCase):
"all related %s objects" % (link % ("admin_docs.group", "admin_docs.Group"))
)
# "raw" and "include" directives are disabled
self.assertContains(self.response, '<p>&quot;raw&quot; directive disabled.</p>',)
self.assertContains(self.response, '.. raw:: html\n :file: admin_docs/evilfile.txt')
self.assertContains(self.response, '<p>&quot;include&quot; directive disabled.</p>',)
self.assertContains(self.response, '.. include:: admin_docs/evilfile.txt')
def test_model_with_many_to_one(self):
link = '<a class="reference external" href="/admindocs/models/%s/">%s</a>'
response = self.client.get(