2013-08-23 12:49:37 +02:00
|
|
|
==========================
|
|
|
|
Django 1.4.7 release notes
|
|
|
|
==========================
|
|
|
|
|
|
|
|
*September 10, 2013*
|
|
|
|
|
|
|
|
Django 1.4.7 fixes one security issue present in previous Django releases in
|
|
|
|
the 1.4 series.
|
|
|
|
|
2015-08-17 15:34:50 +02:00
|
|
|
Directory traversal vulnerability in ``ssi`` template tag
|
2016-01-03 11:56:22 +01:00
|
|
|
=========================================================
|
2013-08-23 12:49:37 +02:00
|
|
|
|
|
|
|
In previous versions of Django it was possible to bypass the
|
2015-08-17 15:34:50 +02:00
|
|
|
``ALLOWED_INCLUDE_ROOTS`` setting used for security with the ``ssi``
|
2013-08-23 12:49:37 +02:00
|
|
|
template tag by specifying a relative path that starts with one of the allowed
|
|
|
|
roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
|
|
|
|
would be possible:
|
|
|
|
|
|
|
|
.. code-block:: html+django
|
|
|
|
|
|
|
|
{% ssi "/var/www/../../etc/passwd" %}
|
|
|
|
|
|
|
|
In practice this is not a very common problem, as it would require the template
|
2015-08-17 15:34:50 +02:00
|
|
|
author to put the ``ssi`` file in a user-controlled variable, but it's
|
2013-08-23 12:49:37 +02:00
|
|
|
possible in principle.
|