Information disclosure

PoC (illustrative reproduction): 1) Enable a Django project in DEBUG mode and render a template that exercises a partial/template inclusion that would trigger PartialTemplate.source. 2) Access the PartialTemplate.source attribute to trigger the warning (as done by Django's template engine when debugging is enabled). 3) Observe the RuntimeWarning emitted and note the filename associated with the warning in the traceback or warning output. Before this patch, the filename would often point to an internal Django path (e.g., .../django/template/...); with the patch, the warning should skip internal prefixes and instead point to the application's caller file. Python/Pseudo-code (illustrative; depends on Django internals): import warnings from django.conf import settings import django settings.configure(DEBUG=True, TEMPLATES=[{'BACKEND':'django.template.backends.django.DjangoTemplates','DIRS':[], 'APP_DIRS': True}]) django.setup() # Trigger the PartialTemplate.source warning via internal API (the exact access pattern may vary by Django version) # This is representative of how a developer might cause the warning during template debugging from django.template import engines template = engines['django'].from_string("{% include 'partials/foo.html' %}") partial = template.nodelist[0].template # depends on internal structure with warnings.catch_warnings(record=True) as w: warnings.simplefilter('always') _ = partial.source # accessing source triggers the warning under DEBUG for warn in w: print("Warning:", warn.message) print("Origin filename:", getattr(warn, 'filename', '<unknown>')) Notes: - The crucial aspect demonstrated is that, prior to this patch, the stack trace or warning location could reveal internal Django paths. The patch adds skip_file_prefixes so internal paths are not exposed. - The exact code path to reach PartialTemplate.source may vary between Django versions; the test suite for this commit demonstrates the intended behavior by asserting the caller filename is the test file rather than an internal Django file.

diff --git a/django/template/base.py b/django/template/base.py index 37e7243d5c9b..b87291746b68 100644 --- a/django/template/base.py +++ b/django/template/base.py @@ -52,10 +52,12 @@ import inspect import logging +import os import re import warnings from enum import Enum +import django from django.template.context import BaseContext from django.utils.formats import localize from django.utils.html import conditional_escape @@ -327,7 +329,7 @@ def source(self): "PartialTemplate.source is only available when template " "debugging is enabled.", RuntimeWarning, - stacklevel=2, + skip_file_prefixes=(os.path.dirname(django.__file__),), ) return self.find_partial_source(template.source) diff --git a/tests/template_tests/test_partials.py b/tests/template_tests/test_partials.py index 9762436fdc42..984f0441c204 100644 --- a/tests/template_tests/test_partials.py +++ b/tests/template_tests/test_partials.py @@ -144,8 +144,9 @@ def test_template_source_warning(self): RuntimeWarning, "PartialTemplate.source is only available when template " "debugging is enabled.", - ): + ) as ctx: self.assertEqual(partial.template.source, "") + self.assertEqual(ctx.filename, __file__) class RobustPartialHandlingTests(TestCase):