diff options
author | Florian Apolloner <florian@apolloner.eu> | 2021-05-17 11:26:36 +0200 |
---|---|---|
committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2021-06-02 10:58:39 +0200 |
commit | 46572de2e92fdeaf047f80c44d52269e54ad68db (patch) | |
tree | ccda1f219cc9544c506dfd25567f00fd9625da18 /tests/admin_docs | |
parent | f66ae7a2d5558fe88ddfe639a610573872be6628 (diff) | |
download | django-46572de2e92fdeaf047f80c44d52269e54ad68db.tar.gz |
Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView.
Diffstat (limited to 'tests/admin_docs')
-rw-r--r-- | tests/admin_docs/test_views.py | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/tests/admin_docs/test_views.py b/tests/admin_docs/test_views.py index 8e09c4cfec..085b821a37 100644 --- a/tests/admin_docs/test_views.py +++ b/tests/admin_docs/test_views.py @@ -154,6 +154,22 @@ class AdminDocViewTests(TestDataMixin, AdminDocsTestCase): self.assertEqual(response.status_code, 200) +@unittest.skipUnless(utils.docutils_is_available, 'no docutils installed.') +class AdminDocViewDefaultEngineOnly(TestDataMixin, AdminDocsTestCase): + + def setUp(self): + self.client.force_login(self.superuser) + + def test_template_detail_path_traversal(self): + cases = ['/etc/passwd', '../passwd'] + for fpath in cases: + with self.subTest(path=fpath): + response = self.client.get( + reverse('django-admindocs-templates', args=[fpath]), + ) + self.assertEqual(response.status_code, 400) + + @override_settings(TEMPLATES=[{ 'NAME': 'ONE', 'BACKEND': 'django.template.backends.django.DjangoTemplates', |