mirror of
				https://github.com/django/django.git
				synced 2025-10-26 15:16:09 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			26 lines
		
	
	
		
			892 B
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			26 lines
		
	
	
		
			892 B
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| ==========================
 | |
| Django 1.4.7 release notes
 | |
| ==========================
 | |
| 
 | |
| *September 10, 2013*
 | |
| 
 | |
| Django 1.4.7 fixes one security issue present in previous Django releases in
 | |
| the 1.4 series.
 | |
| 
 | |
| Directory traversal vulnerability in :ttag:`ssi` template tag
 | |
| -------------------------------------------------------------
 | |
| 
 | |
| In previous versions of Django it was possible to bypass the
 | |
| :setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi`
 | |
| template tag by specifying a relative path that starts with one of the allowed
 | |
| roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
 | |
| would be possible:
 | |
| 
 | |
| .. code-block:: html+django
 | |
| 
 | |
|     {% ssi "/var/www/../../etc/passwd" %}
 | |
| 
 | |
| In practice this is not a very common problem, as it would require the template
 | |
| author to put the :ttag:`ssi` file in a user-controlled variable, but it's
 | |
| possible in principle.
 |