Weblog

Security releases issued

Today the Django team is issuing multiple releases -- Django 1.4.7, Django 1.5.3, and Django 1.6 beta 3 -- as part of our security process. These releases are now available on PyPI and our download page

These releases address a directory-traversal vulnerability in one of Django's built-in template tags. While this issue requires some fairly specific factors to be exploitable, we encourage all users of Django to upgrade promptly.

For more details, read on.

Issue: directory traversal with ssi template tag

Django's template language includes two methods of including and rendering one template inside another:

  1. The {% include %} tag takes a template name, and uses Django's template loading mechanism (which is restricted to the directories specified in the TEMPLATE_DIRS setting, as with any other normal template load in Django).
  2. The {% ssi %} tag, which takes a file path and includes that file's contents (optionally parsing and rendering it as a template).

Since the ssi tag is not restricted to TEMPLATE_DIRS, it represents a security risk; the setting ALLOWED_INCLUDE_ROOTS thus is required, and specifies filesystem locations from which ssi may read files.

A report has been submitted to and confirmed by the Django core team, showing that the handling of the ALLOWED_INCLUDE_ROOTS setting is vulnerable to a directory-traversal attack, by specifying a file path which begins as the absolute path of a directory in ALLOWED_INCLUDE_ROOTS, and then uses relative paths to break free. So, for example, if /var/includes is in ALLOWED_INCLUDE_ROOTS, the following would be accepted:

{% ssi '/var/includes/../../etc/passwd' %}

Which would include the contents of /etc/passwd in the template's output.

Note that performing this attack does require some specific circumstances:

  • The site to be attacked must have one or more templates making use of the ssi tag, and must allow some form of unsanitized user input to be used as an argument to the ssi tag, or
  • The attacker must be in a position to alter templates on the site.

To remedy this, the ssi tag will now use Python's os.path.abspath to determine the absolute path of the file, and whether it is actually located within a directory permitted by ALLOWED_INCLUDE_ROOTS.

Thanks to Rainer Koirikivi for reporting this issue to us.

Affected versions

  • Django master development branch
  • Django 1.6 (currently at beta status)
  • Django 1.5
  • Django 1.4

For all affected versions of Django, use CVE-2013-4315 to refer to this issue.

Resolution

Patches have been applied to Django's master development branch, and to the 1.6, 1.5 and 1.4 release branches, which resolve the issue described above. The patches may be obtained directly from the following changesets:

The following new releases have been issued:

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django- developers list. Please see our security policies for further information.

Posted by James Bennett on September 10, 2013