diff --git a/docs/howto/deployment/checklist.txt b/docs/howto/deployment/checklist.txt index 4697a3625d..24b33adc35 100644 --- a/docs/howto/deployment/checklist.txt +++ b/docs/howto/deployment/checklist.txt @@ -232,14 +232,6 @@ details about the default templates: * :ref:`http_forbidden_view` * :ref:`http_bad_request_view` -Miscellaneous -============= - -:setting:`ALLOWED_INCLUDE_ROOTS` --------------------------------- - -This setting is required if you're using the :ttag:`ssi` template tag. - Python Options ============== diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt index bf659d8c62..eaaec49349 100644 --- a/docs/internals/deprecation.txt +++ b/docs/internals/deprecation.txt @@ -87,6 +87,10 @@ details on these changes. * The backwards compatibility shim to allow ``FormMixin.get_form()`` to be defined with no default value for its ``form_class`` argument will be removed. +* The following settings will be removed: + + * ``ALLOWED_INCLUDE_ROOTS`` + * The backwards compatibility alias ``django.template.loader.BaseLoader`` will be removed. diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 11db92fe05..de50302e97 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -123,6 +123,11 @@ ALLOWED_INCLUDE_ROOTS Default: ``()`` (Empty tuple) +.. deprecated:: 1.8 + + Set the ``'allowed_include_roots'`` option in the :setting:`OPTIONS + ` of a ``DjangoTemplates`` backend instead. + A tuple of strings representing allowed prefixes for the ``{% ssi %}`` template tag. This is a security measure, so that template authors can't access files that they shouldn't be accessing. diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 8e4dc05d38..dced4cdee6 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -996,8 +996,8 @@ file are evaluated as template code, within the current context:: {% ssi '/home/html/ljworld.com/includes/right_generic.html' parsed %} Note that if you use ``{% ssi %}``, you'll need to define -:setting:`ALLOWED_INCLUDE_ROOTS` in your Django settings, as a security -measure. +``'allowed_include_roots'`` in the :setting:`OPTIONS ` of +your template engine, as a security measure. .. note:: With the :ttag:`ssi` tag and the ``parsed`` parameter diff --git a/docs/releases/1.8.txt b/docs/releases/1.8.txt index 39fc642690..8ce36fcb6c 100644 --- a/docs/releases/1.8.txt +++ b/docs/releases/1.8.txt @@ -1014,6 +1014,14 @@ Related to the previous item, referencing views as strings in the ``url()`` function is deprecated. Pass the callable view as described in the previous section instead. +Template-related settings +~~~~~~~~~~~~~~~~~~~~~~~~~ + +As a consequence of the multiple template engines refactor, several settings +are deprecated in favor of :setting:`TEMPLATES`: + +* ``ALLOWED_INCLUDE_ROOTS`` + ``django.core.context_processors`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/tests/template_tests/tests.py b/tests/template_tests/tests.py index 5d4b029430..0466f91c7a 100644 --- a/tests/template_tests/tests.py +++ b/tests/template_tests/tests.py @@ -470,28 +470,27 @@ class SSITests(SimpleTestCase): def setUp(self): self.this_dir = os.path.dirname(os.path.abspath(upath(__file__))) self.ssi_dir = os.path.join(self.this_dir, "templates", "first") + self.engine = Engine(allowed_include_roots=(self.ssi_dir,)) def render_ssi(self, path): # the path must exist for the test to be reliable self.assertTrue(os.path.exists(path)) - return template.Template('{%% ssi "%s" %%}' % path).render(Context()) + return self.engine.from_string('{%% ssi "%s" %%}' % path).render(Context({})) def test_allowed_paths(self): acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html") - with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)): - self.assertEqual(self.render_ssi(acceptable_path), 'First template\n') + self.assertEqual(self.render_ssi(acceptable_path), 'First template\n') def test_relative_include_exploit(self): """ - May not bypass ALLOWED_INCLUDE_ROOTS with relative paths + May not bypass allowed_include_roots with relative paths - e.g. if ALLOWED_INCLUDE_ROOTS = ("/var/www",), it should not be + e.g. if allowed_include_roots = ("/var/www",), it should not be possible to do {% ssi "/var/www/../../etc/passwd" %} """ disallowed_paths = [ os.path.join(self.ssi_dir, "..", "ssi_include.html"), os.path.join(self.ssi_dir, "..", "second", "test.html"), ] - with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)): - for path in disallowed_paths: - self.assertEqual(self.render_ssi(path), '') + for disallowed_path in disallowed_paths: + self.assertEqual(self.render_ssi(disallowed_path), '')