Django upstream reported the following vulnerability in Django:
Django's template language includes two methods of including and
rendering one template inside another:
1. The ``{% include %}`` tag takes a template name, and uses Django's
template loading mechanism (which is restricted to the directories
specified in the ``TEMPLATE_DIRS`` setting, as with any other
normal template load in Django).
2. The ``{% ssi %}`` tag, which takes a file path and includes that
file's contents (optionally parsing and rendering it as a
template).
Since the ``ssi`` tag is not restricted to ``TEMPLATE_DIRS``, it
represents a security risk; the setting ``ALLOWED_INCLUDE_ROOTS`` thus
is required, and specifies filesystem locations from which ``ssi`` may
read files.
A report has been submitted to and confirmed by the Django core team,
showing that the handling of the ``ALLOWED_INCLUDE_ROOTS`` setting is
vulnerable to a directory-traversal attack, by specifying a file path
which begins as the absolute path of a directory in
``ALLOWED_INCLUDE_ROOTS``, and then uses relative paths to break
free. So, for example, if ``/var/include`` is in
``ALLOWED_INCLUDE_ROOTS``, the following would be accepted:
{% ssi '/var/includes/../../etc/passwd' %}
Which would include the contents of ``/etc/passwd`` in the template's
output.
Note that performing this attack does require some specific
circumstances:
* The site to be attacked must have one or more templates making use
of the ``ssi`` tag, and must allow some form of unsanitized user
input to be used as an argument to the ``ssi`` tag, or
* The attacker must be in a position to alter templates on the site.
To remedy this, the ``ssi`` tag will now use Python's
``os.path.abspath`` to determine the absolute path of the file, and
whether it is actually located within a directory permitted by
``ALLOWED_INCLUDE_ROOTS``.
Acknowledgements:
Red Hat would like to thank James Bennett of Django for reporting this issue.
Django upstream reported the following vulnerability in Django: Django's template language includes two methods of including and rendering one template inside another: 1. The ``{% include %}`` tag takes a template name, and uses Django's template loading mechanism (which is restricted to the directories specified in the ``TEMPLATE_DIRS`` setting, as with any other normal template load in Django). 2. The ``{% ssi %}`` tag, which takes a file path and includes that file's contents (optionally parsing and rendering it as a template). Since the ``ssi`` tag is not restricted to ``TEMPLATE_DIRS``, it represents a security risk; the setting ``ALLOWED_INCLUDE_ROOTS`` thus is required, and specifies filesystem locations from which ``ssi`` may read files. A report has been submitted to and confirmed by the Django core team, showing that the handling of the ``ALLOWED_INCLUDE_ROOTS`` setting is vulnerable to a directory-traversal attack, by specifying a file path which begins as the absolute path of a directory in ``ALLOWED_INCLUDE_ROOTS``, and then uses relative paths to break free. So, for example, if ``/var/include`` is in ``ALLOWED_INCLUDE_ROOTS``, the following would be accepted: {% ssi '/var/includes/../../etc/passwd' %} Which would include the contents of ``/etc/passwd`` in the template's output. Note that performing this attack does require some specific circumstances: * The site to be attacked must have one or more templates making use of the ``ssi`` tag, and must allow some form of unsanitized user input to be used as an argument to the ``ssi`` tag, or * The attacker must be in a position to alter templates on the site. To remedy this, the ``ssi`` tag will now use Python's ``os.path.abspath`` to determine the absolute path of the file, and whether it is actually located within a directory permitted by ``ALLOWED_INCLUDE_ROOTS``. Acknowledgements: Red Hat would like to thank James Bennett of Django for reporting this issue.