Django framework Arbitrary File Inclusion Vulnerability

Django framework Arbitrary File Inclusion Vulnerability
On July 6, April 21, the python-based open-source web framework Django released a Security Bulletin, saying that the contrib. markup package in MySQL 1.5 or earlier has the Arbitrary File Inclusion Vulnerability. Attackers can use docutils to launch attacks. The docutils Docutils project mainly aims to create a set of tools for converting plain text into some common formats, including HTML, XML, and LaTeX. Docutils data packets are standard data packets that render reStructuredText (reST. One of the reST features is to include other files in one document. It is enabled by default. In Django ≤ 1.5, contrib. the markup package depends on docutils and provides template filters for rendering reST to HTML on demand. However, it does not disable the problematic option when the file system contains local files. If docutils is rendered using a malicious statement entered by the user and no commands are disabled, attackers can read arbitrary files on the host (at least files accessible to users running WSGI containers ). This will expose some sensitive files or configuration information of users. Although Django1.6 deletes the contrib. markup app, third-party apps in many Djangoverse still depend on docutils and copy the Django mode:

docutils_settings = getattr(settings, ‘RESTRUCTUREDTEXT_FILTER_SETTINGS’, {})parts = publish_parts(source=smart_bytes(value),writer_name=”html4css1″,settings_overrides=docutils_settings)return force_text(parts[“fragment”])

 

To solve the problem of Arbitrary File Inclusion, the data packet maintainer should adopt the following mode: these packages may not contain the same warnings as the Django document, however, in any case, file inclusion should be disabled by default to ensure security, rather than manual configuration.

docutils_settings = {‘raw_enabled': False,‘file_insertion_enabled': False,}docutils_settings.update(getattr(settings, ‘RESTRUCTUREDTEXT_FILTER_SETTINGS’, {}))parts = publish_parts(source=smart_bytes(value),writer_name=”html4css1″,settings_overrides=docutils_settings)return force_text(parts[“fragment”])

 

The package user who uses the preceding mode also needs to update the project settings and add the following information:

RESTRUCTUREDTEXT_FILTER_SETTINGS = {‘raw_enabled': False,‘file_insertion_enabled': False,}