From ebc0001feeee9eb5de60673e85a37153724e2094 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Tue, 14 Mar 2017 12:33:15 -0400 Subject: Fixed CVE-2017-7234 -- Fixed open redirect vulnerability in views.static.serve(). This is a security fix. --- django/views/static.py | 23 +++++------------------ 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/django/views/static.py b/django/views/static.py index 19f57b7..c33d858 100644 --- a/django/views/static.py +++ b/django/views/static.py @@ -10,9 +10,10 @@ import stat import posixpath import re -from django.http import (Http404, HttpResponse, HttpResponseRedirect, +from django.http import (Http404, HttpResponse, HttpResponseNotModified, FileResponse) from django.template import loader, Template, Context, TemplateDoesNotExist +from django.utils._os import safe_join from django.utils.http import http_date, parse_http_date from django.utils.six.moves.urllib.parse import unquote from django.utils.translation import ugettext as _, ugettext_lazy @@ -32,25 +33,11 @@ def serve(request, path, document_root=None, show_indexes=False): but if you'd like to override it, you can create a template called ``static/directory_index.html``. """ - path = posixpath.normpath(unquote(path)) - path = path.lstrip('/') - newpath = '' - for part in path.split('/'): - if not part: - # Strip empty path components. - continue - drive, part = os.path.splitdrive(part) - head, part = os.path.split(part) - if part in (os.curdir, os.pardir): - # Strip '.' and '..' in path. - continue - newpath = os.path.join(newpath, part).replace('\\', '/') - if newpath and path != newpath: - return HttpResponseRedirect(newpath) - fullpath = os.path.join(document_root, newpath) + path = posixpath.normpath(unquote(path)).lstrip('/') + fullpath = safe_join(document_root, path) if os.path.isdir(fullpath): if show_indexes: - return directory_index(newpath, fullpath) + return directory_index(path, fullpath) raise Http404(_("Directory indexes are not allowed here.")) if not os.path.exists(fullpath): raise Http404(_('"%(path)s" does not exist') % {'path': fullpath})