include tag security hole

Czubakabra

unread,

Jul 21, 2007, 12:07:04 PM7/21/07

to Django developers

Hi,
Include tag is vulnerable to directory traversal:

{% include "/etc/passwd" %}

Django templates shoudn`t permit html coder to include files located
above TEMPLATE_DIRS paths.
What do you think about it?

Best regards,
Czubakabra

oggie rob

unread,

Jul 21, 2007, 2:37:18 PM7/21/07

to Django developers

Perhaps simply by preventing absolute paths? That would be very easy
to change if it doesn't prevent a legitimate setup.

Of course, html coders need to accept a certain responsibility because
sometimes they can access a *lot* of information quite easily. I would
think if you have a non programmer making changes, the programmers
would want to at least review those changes before accepting them, in
addition to a reasonable API.

-rob

Czubakabra

unread,

Jul 21, 2007, 6:13:05 PM7/21/07

to Django developers

Hello,

> Of course, html coders need to accept a certain responsibility because
> sometimes they can access a *lot* of information quite easily. I would
> think if you have a non programmer making changes, the programmers
> would want to at least review those changes before accepting them, in
> addition to a reasonable API.

I cannot agree with you. My application permit any user modify
templates code - follow a django philosophy - and they shouldn`t have
access to any private information that aren`t located in django base
path. Include tag is part of standard django library, and in my
opinion it contain trivial security hole... I made patch fixing this
vulnerability, but I want to see your opinions about it shoud be
patched or not.

Best regards,
Czubakabra

James Bennett

unread,

Jul 21, 2007, 6:29:16 PM7/21/07

to django-d...@googlegroups.com

On 7/21/07, Czubakabra <czuba...@o2.pl> wrote:
> Django templates shoudn`t permit html coder to include files located
> above TEMPLATE_DIRS paths.
> What do you think about it?

I'm personally ambivalent about where the "include" tag should be able
to search, because I can see cases where it'd be useful to have it
pull in things that aren't in TEMPLATE_DIRS. If you're interested in
confining the places from which the file may be pulled, use the "ssi"
tag and specify ALLOWED_INCLUDE_ROOTS in your settings file -- the
"ssi" tag will forbid access to directories not specified in that
setting.

Also, for future reference, Django's policy for reporting
security-related issues or suspected security-related issues is
outlined here:

http://www.djangoproject.com/documentation/contributing/#reporting-security-issues

And do keep in mind that the Django template system isn't necessarily
constructed to be safe when exposed to arbitrary users -- there are
many, many things which are perfectly acceptable and extremely useful
when the template author is a trusted member of your staff, but which
can easily be exploited if you allow arbitrary users to begin
authoring templates. I'm not certain we should weaken the template
language to accommodate that use case, since what you're doing
(allowing users to upload something which will be executed by your
server) is inherently insecure.

--
"Bureaucrat Conrad, you are technically correct -- the best kind of correct."

Gary Wilson

unread,

Jul 22, 2007, 2:21:36 AM7/22/07

to django-d...@googlegroups.com

Czubakabra wrote:
> Hi,
> Include tag is vulnerable to directory traversal:
>
> {% include "/etc/passwd" %}

It's a bug and not intended behavior. I've opened a ticket and have
attached a patch.

http://code.djangoproject.com/ticket/4952

Gary

SmileyChris

unread,

Jul 22, 2007, 7:59:57 PM7/22/07

to Django developers

On Jul 22, 6:21 pm, Gary Wilson <gary.wil...@gmail.com> wrote:
> It's a bug and not intended behavior. I've opened a ticket and have
> attached a patch.
>
> http://code.djangoproject.com/ticket/4952

I've put up a new patch which is pretty solid and ready for a
committer's review.

Tai Lee

unread,

Jul 22, 2007, 8:37:40 PM7/22/07

to Django developers

On Jul 22, 8:29 am, "James Bennett" <ubernost...@gmail.com> wrote:

> I'm personally ambivalent about where the "include" tag should be able
> to search, because I can see cases where it'd be useful to have it
> pull in things that aren't in TEMPLATE_DIRS. If you're interested in
> confining the places from which the file may be pulled, use the "ssi"
> tag and specify ALLOWED_INCLUDE_ROOTS in your settings file -- the
> "ssi" tag will forbid access to directories not specified in that
> setting.

Don't you mean *disallow* use of {% include %} and *enforce* use of {%
ssi %} (only)? If he has no control over the template code html
authors are generating, and {% include %} is part of django, those
template authors would be able to access it and would expect to be
allowed to access it?

James Bennett

unread,

Jul 22, 2007, 8:50:02 PM7/22/07

to django-d...@googlegroups.com

On 7/22/07, Tai Lee <mrmac...@gmail.com> wrote:
> Don't you mean *disallow* use of {% include %} and *enforce* use of {%
> ssi %} (only)? If he has no control over the template code html
> authors are generating, and {% include %} is part of django, those
> template authors would be able to access it and would expect to be
> allowed to access it?

Sort of, but not really. Personally, I don't think there's any secure
way to allow arbitrary users to upload templates, because there are
just too many ways to expose something you wouldn't want to expose; if
you were going to develop a sandboxed version of the template system,
you'd have to strip it down so much that it almost wouldn't be
recognizable afterward.