Any HTML file readable by the app can be rendered and have the template source exposed

[thibaudcolas]

In GitLab by @bcdickinson on Nov 30, 2019, 12:52

Steps to reproduce (using the test app and ./runserver.sh:

1. Create a file tests/templates/secure/fail.html with the following content:

   {% if False %}Don't show me{% endif %}

2. Run the test app with ./runserver.sh
3. Go to http://localhost:8000/pattern-library/pattern/secure/fail.html
4. Recoil in horror as your non-pattern template's logic is exposed to anyone.

This is a problem because this template is not part of the pattern library and shouldn't be exposed just because the pattern library app is enabled.

[thibaudcolas]

In GitLab by @bcdickinson on Nov 30, 2019, 14:44

It's not the case that you can load arbitrary files on the filesystem, they need to be accessible by Django's template loader. However, you can load any template your app can load, even if it's not part of the pattern library. This will be resolved by a754cee (#83).

[thibaudcolas]

@bcdickinson based on your comment at #83 (comment) it looks like the #83 which contains the commit that would fix this is relatively far from being merge-able. Do you think this commit could be cherry-picked as a standalone PR? I think it would be nice to fix this issue sooner rather than later.