Django upstream reported the following vulnerability in Django: Django's template language includes two methods of including and rendering one template inside another: 1. The ``{% include %}`` tag takes a template name, and uses Django's template loading mechanism (which is restricted to the directories specified in the ``TEMPLATE_DIRS`` setting, as with any other normal template load in Django). 2. The ``{% ssi %}`` tag, which takes a file path and includes that file's contents (optionally parsing and rendering it as a template). Since the ``ssi`` tag is not restricted to ``TEMPLATE_DIRS``, it represents a security risk; the setting ``ALLOWED_INCLUDE_ROOTS`` thus is required, and specifies filesystem locations from which ``ssi`` may read files. A report has been submitted to and confirmed by the Django core team, showing that the handling of the ``ALLOWED_INCLUDE_ROOTS`` setting is vulnerable to a directory-traversal attack, by specifying a file path which begins as the absolute path of a directory in ``ALLOWED_INCLUDE_ROOTS``, and then uses relative paths to break free. So, for example, if ``/var/include`` is in ``ALLOWED_INCLUDE_ROOTS``, the following would be accepted: {% ssi '/var/includes/../../etc/passwd' %} Which would include the contents of ``/etc/passwd`` in the template's output. Note that performing this attack does require some specific circumstances: * The site to be attacked must have one or more templates making use of the ``ssi`` tag, and must allow some form of unsanitized user input to be used as an argument to the ``ssi`` tag, or * The attacker must be in a position to alter templates on the site. To remedy this, the ``ssi`` tag will now use Python's ``os.path.abspath`` to determine the absolute path of the file, and whether it is actually located within a directory permitted by ``ALLOWED_INCLUDE_ROOTS``. Acknowledgements: Red Hat would like to thank James Bennett of Django for reporting this issue.
External Reference: https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/
Created Django14 tracking bugs for this issue: Affects: epel-6 [bug 1007020]
Created python-django14 tracking bugs for this issue: Affects: fedora-19 [bug 1007019]
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1007018]
python-django-1.5.4-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
python-django14-1.4.8-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-django14-1.4.8-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Django14-1.4.8-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1521 https://rhn.redhat.com/errata/RHSA-2013-1521.html