Description
We have enabled debug toolbar on our test environment of Django 1.10.17. After auditing the site we have found that template_origin variable is not correctly sanitized. I understand this is a Debug addon that probably isn't aimed for production environments, but I wanted only to report this just as an informative post.
Maybe this is the intended behavior of this variable. If this is correct, sorry for this post!
Proof of concept:
http://FQDN/__debug__/template_source/?template=pages/home.html&template_origin=/etc/passwd
Affected file:
panels/templates/views.py
Affected portion of code:
`def template_source(request):
"""
Return the source of a template, syntax-highlighted by Pygments if
it's available.
"""
template_origin_name = request.GET.get('template_origin', None)
if template_origin_name is None:
return HttpResponseBadRequest('"template_origin" key is required')
template_name = request.GET.get('template', template_origin_name)
final_loaders = []
loaders = Engine.get_default().template_loaders
for loader in loaders:
if loader is not None:
# When the loader has loaders associated with it,
# append those loaders to the list. This occurs with
# django.template.loaders.cached.Loader
if hasattr(loader, 'loaders'):
final_loaders += loader.loaders
else:
final_loaders.append(loader)
for loader in final_loaders:
if Origin: # django>=1.9
origin = Origin(template_origin_name)
try:
source = loader.get_contents(origin)
break
except TemplateDoesNotExist:
pass
else: # django<1.9
try:
source, _ = loader.load_template_source(template_name)
break
except TemplateDoesNotExist:
pass
else:
source = "Template Does Not Exist: %s" % (template_origin_name,)
try:
from pygments import highlight
from pygments.lexers import HtmlDjangoLexer
from pygments.formatters import HtmlFormatter
source = highlight(source, HtmlDjangoLexer(), HtmlFormatter())
source = mark_safe(source)
source.pygmentized = True
except ImportError:
pass
`
Regards,