Skip to content

Any HTML file readable by the app can be rendered and have the template source exposed #29

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
thibaudcolas opened this issue Feb 19, 2020 · 2 comments · Fixed by #83
Closed

Any HTML file readable by the app can be rendered and have the template source exposed #29

thibaudcolas opened this issue Feb 19, 2020 · 2 comments · Fixed by #83
Assignees
@bcdickinson
Labels
bug Something isn't working django Related to Django templates capabilities
Milestone
v0.3.0

Comments

@thibaudcolas
Copy link
Member

In GitLab by @bcdickinson on Nov 30, 2019, 12:52

Steps to reproduce (using the test app and ./runserver.sh:

  1. Create a file tests/templates/secure/fail.html with the following content: 
    {% if False %}Don't show me{% endif %}
  2. Run the test app with ./runserver.sh
  3. Go to http://localhost:8000/pattern-library/pattern/secure/fail.html
  4. Recoil in horror as your non-pattern template's logic is exposed to anyone.

This is a problem because this template is not part of the pattern library and shouldn't be exposed just because the pattern library app is enabled.
@thibaudcolas
Copy link
Member Author

thibaudcolas commented Feb 19, 2020
edited
Loading

In GitLab by @bcdickinson on Nov 30, 2019, 14:44

It's not the case that you can load arbitrary files on the filesystem, they need to be accessible by Django's template loader. However, you can load any template your app can load, even if it's not part of the pattern library. This will be resolved by a754cee (#83).

@thibaudcolas thibaudcolas added bug Something isn't working and removed kind/bug labels Feb 19, 2020
@thibaudcolas thibaudcolas linked a pull request Feb 24, 2020 that will close this issue
Remove forced patterns #83
Merged
4 tasks
@thibaudcolas
Copy link
Member Author

thibaudcolas commented Feb 24, 2020
edited
Loading

@bcdickinson based on your comment at #83 (comment) it looks like the #83 which contains the commit that would fix this is relatively far from being merge-able. Do you think this commit could be cherry-picked as a standalone PR? I think it would be nice to fix this issue sooner rather than later.

@thibaudcolas thibaudcolas added this to the v0.3.0 milestone Feb 24, 2020
@thibaudcolas thibaudcolas added the django Related to Django templates capabilities label Feb 26, 2020
@thibaudcolas thibaudcolas moved this to High priority in Roadmap Aug 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bcdickinson bcdickinson

Labels
bug Something isn't working django Related to Django templates capabilities
Projects
No open projects
Roadmap
Status: High priority
Milestone
v0.3.0
Development

Successfully merging a pull request may close this issue.

Remove forced patterns torchbox/django-pattern-library
2 participants
@thibaudcolas @bcdickinson