<script language="JavaScript">
<!--
function _AN_global_var_init(){
	_AN_this_url = "/prx/000/";
	_AN_base_scheme = "https";
	_AN_base_host = "https://patch-diff.githubusercontent.com";
	_AN_base_path = "https://patch-diff.githubusercontent.com/raw/django-commons/django-debug-toolbar/pull/";
	_AN_encode_urls = 0;
	_AN_mpo = 1;
	_AN_md = 0;
	_AN_rel_urls = 0;
	_AN_nav_switch = 0;
	_AN_nav_allowurl = 1;
	_AN_nav_override = 0;
	_AN_has_iframe = 0;
	_AN_dbg_flags = null;
	_AN_nav_use_aaa = 1;
	_AN_expires_pass = 0;
	_AN_wrap_evthandlers = 0;
	_AN_rewrite_param_exact = 0;
	_AN_obj_params = {};
} 
_AN_global_var_init();
//-->
</script>
<script language="JavaScript" src="/prx/001/http/localh/an_util.js"></script>
<script language="JavaScript" src="/prx/001/http/localh/NSLib.js"></script>

From 08f6e43575e79657cb1299d5f4c391821273f724 Mon Sep 17 00:00:00 2001
From: Matthias Kestenholz <mk@feinheit.ch>
Date: Mon, 13 Nov 2017 21:22:03 +0100
Subject: [PATCH 1/2] Refs #984: Disallow loading arbitrary files using the
 template_source debugging view

---
 debug_toolbar/panels/templates/panel.py                     | 3 +++
 debug_toolbar/panels/templates/views.py                     | 5 +++++
 debug_toolbar/templates/debug_toolbar/panels/templates.html | 2 +-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/debug_toolbar/panels/templates/panel.py b/debug_toolbar/panels/templates/panel.py
index 7367cc153..ace5a6bd4 100644
--- a/debug_toolbar/panels/templates/panel.py
+++ b/debug_toolbar/panels/templates/panel.py
@@ -7,6 +7,7 @@
 
 from django import http
 from django.conf.urls import url
+from django.core import signing
 from django.db.models.query import QuerySet, RawQuerySet
 from django.template import RequestContext, Template
 from django.test.signals import template_rendered
@@ -192,8 +193,10 @@ def generate_stats(self, request, response):
             template = template_data.get('template', None)
             if hasattr(template, 'origin') and template.origin and template.origin.name:
                 template.origin_name = template.origin.name
+                template.origin_hash = signing.dumps(template.origin.name)
             else:
                 template.origin_name = _('No origin')
+                template.origin_hash = ''
             info['template'] = template
             # Clean up context for better readability
             if self.toolbar.config['SHOW_TEMPLATE_CONTEXT']:
diff --git a/debug_toolbar/panels/templates/views.py b/debug_toolbar/panels/templates/views.py
index ac7cd3955..b458f1713 100644
--- a/debug_toolbar/panels/templates/views.py
+++ b/debug_toolbar/panels/templates/views.py
@@ -1,5 +1,6 @@
 from __future__ import absolute_import, unicode_literals
 
+from django.core import signing
 from django.http import HttpResponseBadRequest
 from django.template import TemplateDoesNotExist
 from django.template.engine import Engine
@@ -23,6 +24,10 @@ def template_source(request):
     template_origin_name = request.GET.get('template_origin', None)
     if template_origin_name is None:
         return HttpResponseBadRequest('"template_origin" key is required')
+    try:
+        template_origin_name = signing.loads(template_origin_name)
+    except Exception:
+        return HttpResponseBadRequest('"template_origin" is invalid')
     template_name = request.GET.get('template', template_origin_name)
 
     final_loaders = []
diff --git a/debug_toolbar/templates/debug_toolbar/panels/templates.html b/debug_toolbar/templates/debug_toolbar/panels/templates.html
index d7bf6a622..0440dc349 100644
--- a/debug_toolbar/templates/debug_toolbar/panels/templates.html
+++ b/debug_toolbar/templates/debug_toolbar/panels/templates.html
@@ -14,7 +14,7 @@ <h4>{% blocktrans count templates|length as template_count %}Template{% plural %
 {% if templates %}
 <dl>
 {% for template in templates %}
-<dt><strong><a class="remoteCall toggleTemplate" href="{% url 'djdt:template_source' %}?template={{ template.template.name }}&amp;template_origin={{ template.template.origin_name }}">{{ template.template.name|addslashes }}</a></strong></dt>
+<dt><strong><a class="remoteCall toggleTemplate" href="{% url 'djdt:template_source' %}?template={{ template.template.name }}&amp;template_origin={{ template.template.origin_hash }}">{{ template.template.name|addslashes }}</a></strong></dt>
 	<dd><samp>{{ template.template.origin_name|addslashes }}</samp></dd>
 	{% if template.context %}
 	<dd>

From 038c649eadbd4818c3d260cf1844c0cc5e837f5d Mon Sep 17 00:00:00 2001
From: Matthias Kestenholz <mk@feinheit.ch>
Date: Mon, 13 Nov 2017 22:12:37 +0100
Subject: [PATCH 2/2] Fix the template_source test

---
 tests/test_integration.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/test_integration.py b/tests/test_integration.py
index 03d1f681a..fceb9ae4c 100644
--- a/tests/test_integration.py
+++ b/tests/test_integration.py
@@ -8,6 +8,7 @@
 
 import django
 from django.contrib.staticfiles.testing import StaticLiveServerTestCase
+from django.core import signing
 from django.core.checks import Error, run_checks
 from django.template.loader import get_template
 from django.test import RequestFactory, TestCase
@@ -143,7 +144,7 @@ def test_template_source_checks_show_toolbar(self):
         url = '/__debug__/template_source/'
         data = {
             'template': template.template.name,
-            'template_origin': template.template.origin.name
+            'template_origin': signing.dumps(template.template.origin.name)
         }
 
         response = self.client.get(url, data)
