Fixed CVE-2017-7234 -- Fixed open redirect vulnerability in views.static.serve().

This is a security fix.

Fixed CVE-2017-7234 -- Fixed open redirect vulnerability in views.static.serve().
This is a security fix.
a1f948b4 · Tim Graham · b9ebf6c0 · a1f948b4 · a1f948b4 · a1f948b4
Kaydet (Commit) a1f948b4 authored Mar 14, 2017 tarafından Tim Graham
5 changed files
--- a/django/views/static.py
+++ b/django/views/static.py
@@ -10,9 +10,9 @@ import stat

 from django.http import (
    FileResponse, Http404, HttpResponse, HttpResponseNotModified,
-    HttpResponseRedirect,
 )
 from django.template import Context, Engine, TemplateDoesNotExist, loader
+from django.utils._os import safe_join
 from django.utils.http import http_date, parse_http_date
 from django.utils.translation import gettext as _, gettext_lazy

@@ -33,25 +33,11 @@ def serve(request, path, document_root=None, show_indexes=False):
    but if you'd like to override it, you can create a template called
    ``static/directory_index.html``.
    """
-    path = posixpath.normpath(path)
-    path = path.lstrip('/')
-    newpath = ''
-    for part in path.split('/'):
-        if not part:
-            # Strip empty path components.
-            continue
-        drive, part = os.path.splitdrive(part)
-        head, part = os.path.split(part)
-        if part in (os.curdir, os.pardir):
-            # Strip '.' and '..' in path.
-            continue
-        newpath = os.path.join(newpath, part).replace('\\', '/')
-    if newpath and path != newpath:
-        return HttpResponseRedirect(newpath)
-    fullpath = os.path.join(document_root, newpath)
+    path = posixpath.normpath(path).lstrip('/')
+    fullpath = safe_join(document_root, path)
    if os.path.isdir(fullpath):
        if show_indexes:
-            return directory_index(newpath, fullpath)
+            return directory_index(path, fullpath)
        raise Http404(_("Directory indexes are not allowed here."))
    if not os.path.exists(fullpath):
        raise Http404(_('"%(path)s" does not exist') % {'path': fullpath})

--- a/docs/releases/1.10.7.txt
+++ b/docs/releases/1.10.7.txt
@@ -6,6 +6,17 @@ Django 1.10.7 release notes

 Django 1.10.7 fixes two security issues and a bug in 1.10.6.

+CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
+=============================================================================
+
+A maliciously crafted URL to a Django site using the
+:func:`~django.views.static.serve` view could redirect to any other domain. The
+view no longer does any redirects as they don't provide any known, useful
+functionality.
+
+Note, however, that this view has always carried a warning that it is not
+hardened for production use and should be used only as a development aid.
+
 Bugfixes
 ========


--- a/docs/releases/1.8.18.txt
+++ b/docs/releases/1.8.18.txt
@@ -5,3 +5,14 @@ Django 1.8.18 release notes
 *April 4, 2017*

 Django 1.8.18 fixes two security issues in 1.8.17.
+
+CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
+=============================================================================
+
+A maliciously crafted URL to a Django site using the
+:func:`~django.views.static.serve` view could redirect to any other domain. The
+view no longer does any redirects as they don't provide any known, useful
+functionality.
+
+Note, however, that this view has always carried a warning that it is not
+hardened for production use and should be used only as a development aid.
--- a/docs/releases/1.9.13.txt
+++ b/docs/releases/1.9.13.txt
@@ -7,6 +7,17 @@ Django 1.9.13 release notes
 Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final
 release of the 1.9.x series.

+CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
+=============================================================================
+
+A maliciously crafted URL to a Django site using the
+:func:`~django.views.static.serve` view could redirect to any other domain. The
+view no longer does any redirects as they don't provide any known, useful
+functionality.
+
+Note, however, that this view has always carried a warning that it is not
+hardened for production use and should be used only as a development aid.
+
 Bugfixes
 ========


--- a/tests/view_tests/tests/test_static.py
+++ b/tests/view_tests/tests/test_static.py
@@ -110,7 +110,7 @@ class StaticTests(SimpleTestCase):

    def test_index(self):
        response = self.client.get('/%s/' % self.prefix)
-        self.assertContains(response, 'Index of /')
+        self.assertContains(response, 'Index of ./')


 class StaticHelperTest(StaticTests):