django/docs/releases/1.4.7.txt

==========================
Django 1.4.7 release notes
==========================

*September 10, 2013*

Django 1.4.7 fixes one security issue present in previous Django releases in
the 1.4 series.

Directory traversal vulnerability in :ttag:`ssi` template tag
-------------------------------------------------------------

In previous versions of Django it was possible to bypass the
:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi`
template tag by specifying a relative path that starts with one of the allowed
roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
would be possible:

.. code-block:: html+django

    {% ssi "/var/www/../../etc/passwd" %}

In practice this is not a very common problem, as it would require the template
author to put the :ttag:`ssi` file in a user-controlled variable, but it's
possible in principle.
Added 1.4.7/1.5.3 release notes 2013-08-23 18:49:37 +08:00			`==========================`
			`Django 1.4.7 release notes`
			`==========================`

			`September 10, 2013`

			`Django 1.4.7 fixes one security issue present in previous Django releases in`
			`the 1.4 series.`

			Directory traversal vulnerability in :ttag:`ssi` template tag
			`-------------------------------------------------------------`

			`In previous versions of Django it was possible to bypass the`
			:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi`
			`template tag by specifying a relative path that starts with one of the allowed`
			roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
			`would be possible:`

			`.. code-block:: html+django`

			`{% ssi "/var/www/../../etc/passwd" %}`

			`In practice this is not a very common problem, as it would require the template`
			author to put the :ttag:`ssi` file in a user-controlled variable, but it's
			`possible in principle.`