Closed Bug 914186 Opened 12 years ago Closed 12 years ago

Update to Django 1.4.7 / 1.5.3

Categories

(support.mozilla.org :: General, defect, P3)

Product:
support.mozilla.org
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
2013Q3

People

(Reporter: willkg, Assigned: rrosario)

Details

(Whiteboard: u=dev c=general p=1 s=2013.18)

The Django project will be releasing Django 1.4.7 and 1.5.3 on September 10th to fix a security issue. The security issue is as follows: Issue: directory traversal with ``ssi`` template tag ==================================================== Django's template language includes two methods of including and rendering one template inside another: 1. The ``{% include %}`` tag takes a template name, and uses Django's template loading mechanism (which is restricted to the directories specified in the ``TEMPLATE_DIRS`` setting, as with any other normal template load in Django). 2. The ``{% ssi %}`` tag, which takes a file path and includes that file's contents (optionally parsing and rendering it as a template). Since the ``ssi`` tag is not restricted to ``TEMPLATE_DIRS``, it represents a security risk; the setting ``ALLOWED_INCLUDE_ROOTS`` thus is required, and specifies filesystem locations from which ``ssi`` may read files. A report has been submitted to and confirmed by the Django core team, showing that the handling of the ``ALLOWED_INCLUDE_ROOTS`` setting is vulnerable to a directory-traversal attack, by specifying a file path which begins as the absolute path of a directory in ``ALLOWED_INCLUDE_ROOTS``, and then uses relative paths to break free. So, for example, if ``/var/include`` is in ``ALLOWED_INCLUDE_ROOTS``, the following would be accepted: {% ssi '/var/includes/../../etc/passwd' %} Which would include the contents of ``/etc/passwd`` in the template's output. Note that performing this attack does require some specific circumstances: * The site to be attacked must have one or more templates making use of the ``ssi`` tag, and must allow some form of unsanitized user input to be used as an argument to the ``ssi`` tag, or * The attacker must be in a position to alter templates on the site. To remedy this, the ``ssi`` tag will now use Python's ``os.path.abspath`` to determine the absolute path of the file, and whether it is actually located within a directory permitted by ``ALLOWED_INCLUDE_ROOTS``.
We use Jinja2 templates and don't use the ssi tag. So this is low priority. Having said that, it's pretty easy to update Django, so when it comes out, it's probably worth the 10 minutes to just do it.
The security release has been released. https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/ Please take the time to figure out the priority of this update for your project as soon as possible and schedule the update accordingly.
Assignee: nobody → rrosario
Priority: -- → P3
Whiteboard: u=dev c=general p=1 s=2013.18
Target Milestone: --- → 2013Q3
Landed on master and deployed to prod. https://github.com/mozilla/kitsune/commit/231f9852ec1a17f98bb28545cb27e93d8d54ed36
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Nixing the Security flag since this is deployed now.
Group: websites-security
Re-adding security flag to test something.
Group: websites-security
Group: websites-security
You need to log in before you can comment on or make changes to this bug.