lib/django-1.4/docs/releases/1.4.7.txt - external/googleappengine/python - Git at Google

 ==========================
 Django 1.4.7 release notes
 ==========================

 *September 10, 2013*

 Django 1.4.7 fixes one security issue present in previous Django releases in
 the 1.4 series.

 Directory traversal vulnerability in :ttag:`ssi` template tag
 -------------------------------------------------------------

 In previous versions of Django it was possible to bypass the
 :setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi`
 template tag by specifying a relative path that starts with one of the allowed
 roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
 would be possible:

 .. code-block:: html+django

     {% ssi "/var/www/../../etc/passwd" %}

 In practice this is not a very common problem, as it would require the template
 author to put the :ttag:`ssi` file in a user-controlled variable, but it's
 possible in principle.
	==========================
	Django 1.4.7 release notes
	==========================

	September 10, 2013

	Django 1.4.7 fixes one security issue present in previous Django releases in
	the 1.4 series.

	Directory traversal vulnerability in :ttag:`ssi` template tag
	-------------------------------------------------------------

	In previous versions of Django it was possible to bypass the
	:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi`
	template tag by specifying a relative path that starts with one of the allowed
	roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
	would be possible:

	.. code-block:: html+django

	{% ssi "/var/www/../../etc/passwd" %}

	In practice this is not a very common problem, as it would require the template
	author to put the :ttag:`ssi` file in a user-controlled variable, but it's
	possible in principle.