| ========================== |
| Django 1.4.7 release notes |
| ========================== |
| |
| *September 10, 2013* |
| |
| Django 1.4.7 fixes one security issue present in previous Django releases in |
| the 1.4 series. |
| |
| Directory traversal vulnerability in :ttag:`ssi` template tag |
| ------------------------------------------------------------- |
| |
| In previous versions of Django it was possible to bypass the |
| :setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi` |
| template tag by specifying a relative path that starts with one of the allowed |
| roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following |
| would be possible: |
| |
| .. code-block:: html+django |
| |
| {% ssi "/var/www/../../etc/passwd" %} |
| |
| In practice this is not a very common problem, as it would require the template |
| author to put the :ttag:`ssi` file in a user-controlled variable, but it's |
| possible in principle. |