From aad44105a4e93683b4aa171ff342cd3cf17dd159 Mon Sep 17 00:00:00 2001 From: Raphael Michel Date: Mon, 29 Aug 2016 21:49:14 +0200 Subject: [PATCH] Document and further restrict a possible path traversal issue --- src/pretix/control/urls.py | 2 +- src/pretix/control/views/help.py | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/pretix/control/urls.py b/src/pretix/control/urls.py index b47ccdf43..c3ba01fb1 100644 --- a/src/pretix/control/urls.py +++ b/src/pretix/control/urls.py @@ -93,5 +93,5 @@ urlpatterns = [ url(r'^orders/$', orders.OrderList.as_view(), name='event.orders'), url(r'^attendees/$', attendees.AttendeeList.as_view(), name='event.attendees'), ])), - url(r'^help/(?P[^.]+)$', help.HelpView.as_view(), name='help'), + url(r'^help/(?P[a-zA-Z0-9_/]+)$', help.HelpView.as_view(), name='help'), ] diff --git a/src/pretix/control/views/help.py b/src/pretix/control/views/help.py index da69f6203..9645a0fcd 100644 --- a/src/pretix/control/views/help.py +++ b/src/pretix/control/views/help.py @@ -13,6 +13,10 @@ class HelpView(View): paginate_by = 30 def get(self, request, *args, **kwargs): + # In a security review, this came up as a possible path traversal issue. However, the URL regex + # does not allow any dots in the argument (which forbids traversing upwards in the directory tree). + # Even if it *was* possbile, it'd be loaded through django's template loader and therefore limited + # to TEMPLATE_DIR. try: locale = request.LANGUAGE_CODE return render(request, 'pretixcontrol/help/%s.%s.html' % (kwargs.get('topic'), locale), {})