Django Security Advisory: Arbitrary file inclusion through docutils =================================================================== Today the Django team is issuing a security advisory regarding the usage of docutils for unsanitized user input. https://www.djangoproject.com/weblog/2015/apr/21/docutils-security-advisory/ Summary ======= Following a security hardening patch in `django.contrib.admindocs`, we noticed that a code pattern from Django <= 1.5 is commonly used by third party packages, possibly putting their users at risk. Description =========== The `docutils` Python package is the standard package to render reStructuredText (reST). One of reST's features is including other files in a document. The respective directives are active by default which is a valid case for the original use case of docutils: rendering documentation. Django <= 1.5 has a package `django.contrib.markup` which relies on docutils and provides a template filter that is used to render reST to HTML on demand. This happens without deactivating the problematic directives to include files from the file system. If docutils' rendering is used with unsanitized user input and without disabling the directives, an attacker can access arbitrary files on the host (at least, the files that the user running the WSGI container can access). This could eventually lead to disclosure of secure information, such as the project settings. This scenario has been documented[2]. In Django 1.6 the `django.contrib.markup` app was removed. However, many third-party applications in the Djangoverse still rely on docutils and also copied the pattern Django uses to allow deactivating the directives: docutils_settings = getattr(settings, 'RESTRUCTUREDTEXT_FILTER_SETTINGS', {}) parts = publish_parts( source=smart_bytes(value), writer_name="html4css1", settings_overrides=docutils_settings ) return force_text(parts["fragment"]) These packages may not contain the same warnings that Django's documentation includes, and in any case, it's a good idea to disable file inclusion by default in order to make things "secure by default" rather than relying on users disabling it explicitly. Resolution ========== In order to solve the arbitrary file inclusion package maintainers should adapt to the following pattern: docutils_settings = { 'raw_enabled': False, 'file_insertion_enabled': False, } docutils_settings.update(getattr(settings, 'RESTRUCTUREDTEXT_FILTER_SETTINGS', {})) parts = publish_parts( source=smart_bytes(value), writer_name="html4css1", settings_overrides=docutils_settings ) return force_text(parts["fragment"]) Workaround ========== Users of packages that use the above pattern should update their project settings to include: RESTRUCTUREDTEXT_FILTER_SETTINGS = { 'raw_enabled': False, 'file_insertion_enabled': False, } [1] https://pypi.python.org/pypi/docutils [2] https://docs.djangoproject.com/en/1.4/ref/contrib/markup/#restructured-text --