Deprecated ALLOWED_INCLUDE_ROOTS.

2014-12-14 22:59:51 +01:00 · 2014-12-14 22:59:51 +01:00 · 3dc01aaaaf
parent 84d7c93feb
commit 3dc01aaaaf
6 changed files with 26 additions and 18 deletions
--- a/docs/howto/deployment/checklist.txt
+++ b/docs/howto/deployment/checklist.txt
@ -232,14 +232,6 @@ details about the default templates:
 * :ref:`http_forbidden_view`
 * :ref:`http_bad_request_view`

-Miscellaneous
-=============
-
-:setting:`ALLOWED_INCLUDE_ROOTS`
--------------------------------
-
-This setting is required if you're using the :ttag:`ssi` template tag.
-
 Python Options
 ==============

--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@ -87,6 +87,10 @@ details on these changes.
 * The backwards compatibility shim to allow ``FormMixin.get_form()`` to be
  defined with no default value for its ``form_class`` argument will be removed.

+* The following settings will be removed:
+
+  * ``ALLOWED_INCLUDE_ROOTS``
+
 * The backwards compatibility alias ``django.template.loader.BaseLoader`` will
  be removed.

--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@ -123,6 +123,11 @@ ALLOWED_INCLUDE_ROOTS

 Default: ``()`` (Empty tuple)

+.. deprecated:: 1.8
+
+    Set the ``'allowed_include_roots'`` option in the :setting:`OPTIONS
+    <TEMPLATES-OPTIONS>` of a ``DjangoTemplates`` backend instead.
+
 A tuple of strings representing allowed prefixes for the ``{% ssi %}`` template
 tag. This is a security measure, so that template authors can't access files
 that they shouldn't be accessing.
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@ -996,8 +996,8 @@ file are evaluated as template code, within the current context::
    {% ssi '/home/html/ljworld.com/includes/right_generic.html' parsed %}

 Note that if you use ``{% ssi %}``, you'll need to define
-:setting:`ALLOWED_INCLUDE_ROOTS` in your Django settings, as a security
-measure.
+``'allowed_include_roots'`` in the :setting:`OPTIONS <TEMPLATES-OPTIONS>` of
+your template engine, as a security measure.

 .. note::
    With the :ttag:`ssi` tag and the ``parsed`` parameter
--- a/docs/releases/1.8.txt
+++ b/docs/releases/1.8.txt
@ -1014,6 +1014,14 @@ Related to the previous item, referencing views as strings in the ``url()``
 function is deprecated. Pass the callable view as described in the previous
 section instead.

+Template-related settings
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As a consequence of the multiple template engines refactor, several settings
+are deprecated in favor of :setting:`TEMPLATES`:
+
+* ``ALLOWED_INCLUDE_ROOTS``
+
 ``django.core.context_processors``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- a/tests/template_tests/tests.py
+++ b/tests/template_tests/tests.py
@ -470,28 +470,27 @@ class SSITests(SimpleTestCase):
    def setUp(self):
        self.this_dir = os.path.dirname(os.path.abspath(upath(__file__)))
        self.ssi_dir = os.path.join(self.this_dir, "templates", "first")
+        self.engine = Engine(allowed_include_roots=(self.ssi_dir,))

    def render_ssi(self, path):
        # the path must exist for the test to be reliable
        self.assertTrue(os.path.exists(path))
-        return template.Template('{%% ssi "%s" %%}' % path).render(Context())
+        return self.engine.from_string('{%% ssi "%s" %%}' % path).render(Context({}))

    def test_allowed_paths(self):
        acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
-        with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
-            self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
+        self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')

    def test_relative_include_exploit(self):
        """
-        May not bypass ALLOWED_INCLUDE_ROOTS with relative paths
+        May not bypass allowed_include_roots with relative paths

-        e.g. if ALLOWED_INCLUDE_ROOTS = ("/var/www",), it should not be
+        e.g. if allowed_include_roots = ("/var/www",), it should not be
        possible to do {% ssi "/var/www/../../etc/passwd" %}
        """
        disallowed_paths = [
            os.path.join(self.ssi_dir, "..", "ssi_include.html"),
            os.path.join(self.ssi_dir, "..", "second", "test.html"),
        ]
-        with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
-            for path in disallowed_paths:
-                self.assertEqual(self.render_ssi(path), '')
+        for disallowed_path in disallowed_paths:
+            self.assertEqual(self.render_ssi(disallowed_path), '')