| Summary: | CVE-2013-4315 python-django: directory traversal with "ssi" template tag | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aortega, apevec, athomas, ayoung, bkearney, chrisw, gkotton, iheim, jpichon, jrusnack, lhh, markmc, mrunge, rbryant, sclewis, security-response-team, yeylon |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Django 1.4.7, Django 1.5.3 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-01-20 18:51:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1007018, 1007019, 1007020, 1007021, 1007022, 1007023, 1007024 | ||
| Bug Blocks: | 1004971 | ||
External Reference: https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/ Created Django14 tracking bugs for this issue: Affects: epel-6 [bug 1007020] Created python-django14 tracking bugs for this issue: Affects: fedora-19 [bug 1007019] Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1007018] python-django-1.5.4-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. python-django14-1.4.8-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. python-django14-1.4.8-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Django14-1.4.8-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1521 https://rhn.redhat.com/errata/RHSA-2013-1521.html |
Django upstream reported the following vulnerability in Django: Django's template language includes two methods of including and rendering one template inside another: 1. The ``{% include %}`` tag takes a template name, and uses Django's template loading mechanism (which is restricted to the directories specified in the ``TEMPLATE_DIRS`` setting, as with any other normal template load in Django). 2. The ``{% ssi %}`` tag, which takes a file path and includes that file's contents (optionally parsing and rendering it as a template). Since the ``ssi`` tag is not restricted to ``TEMPLATE_DIRS``, it represents a security risk; the setting ``ALLOWED_INCLUDE_ROOTS`` thus is required, and specifies filesystem locations from which ``ssi`` may read files. A report has been submitted to and confirmed by the Django core team, showing that the handling of the ``ALLOWED_INCLUDE_ROOTS`` setting is vulnerable to a directory-traversal attack, by specifying a file path which begins as the absolute path of a directory in ``ALLOWED_INCLUDE_ROOTS``, and then uses relative paths to break free. So, for example, if ``/var/include`` is in ``ALLOWED_INCLUDE_ROOTS``, the following would be accepted: {% ssi '/var/includes/../../etc/passwd' %} Which would include the contents of ``/etc/passwd`` in the template's output. Note that performing this attack does require some specific circumstances: * The site to be attacked must have one or more templates making use of the ``ssi`` tag, and must allow some form of unsanitized user input to be used as an argument to the ``ssi`` tag, or * The attacker must be in a position to alter templates on the site. To remedy this, the ``ssi`` tag will now use Python's ``os.path.abspath`` to determine the absolute path of the file, and whether it is actually located within a directory permitted by ``ALLOWED_INCLUDE_ROOTS``. Acknowledgements: Red Hat would like to thank James Bennett of Django for reporting this issue.