summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAymeric Augustin <aymeric.augustin@m4x.org>2014-12-14 22:59:51 +0100
committerAymeric Augustin <aymeric.augustin@m4x.org>2014-12-28 17:02:30 +0100
commit3dc01aaaaf7cf070933a8f5ee9a5f9136503d676 (patch)
tree423377577663d509ec7633d9140d7fe9c04a52c1
parent84d7c93feb5ebad83fa88b02779db7e85928f0a8 (diff)
Deprecated ALLOWED_INCLUDE_ROOTS.
-rw-r--r--docs/howto/deployment/checklist.txt8
-rw-r--r--docs/internals/deprecation.txt4
-rw-r--r--docs/ref/settings.txt5
-rw-r--r--docs/ref/templates/builtins.txt4
-rw-r--r--docs/releases/1.8.txt8
-rw-r--r--tests/template_tests/tests.py15
6 files changed, 26 insertions, 18 deletions
diff --git a/docs/howto/deployment/checklist.txt b/docs/howto/deployment/checklist.txt
index 4697a3625d..24b33adc35 100644
--- a/docs/howto/deployment/checklist.txt
+++ b/docs/howto/deployment/checklist.txt
@@ -232,14 +232,6 @@ details about the default templates:
* :ref:`http_forbidden_view`
* :ref:`http_bad_request_view`
-Miscellaneous
-=============
-
-:setting:`ALLOWED_INCLUDE_ROOTS`
---------------------------------
-
-This setting is required if you're using the :ttag:`ssi` template tag.
-
Python Options
==============
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt
index bf659d8c62..eaaec49349 100644
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@@ -87,6 +87,10 @@ details on these changes.
* The backwards compatibility shim to allow ``FormMixin.get_form()`` to be
defined with no default value for its ``form_class`` argument will be removed.
+* The following settings will be removed:
+
+ * ``ALLOWED_INCLUDE_ROOTS``
+
* The backwards compatibility alias ``django.template.loader.BaseLoader`` will
be removed.
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 11db92fe05..de50302e97 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -123,6 +123,11 @@ ALLOWED_INCLUDE_ROOTS
Default: ``()`` (Empty tuple)
+.. deprecated:: 1.8
+
+ Set the ``'allowed_include_roots'`` option in the :setting:`OPTIONS
+ <TEMPLATES-OPTIONS>` of a ``DjangoTemplates`` backend instead.
+
A tuple of strings representing allowed prefixes for the ``{% ssi %}`` template
tag. This is a security measure, so that template authors can't access files
that they shouldn't be accessing.
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index 8e4dc05d38..dced4cdee6 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -996,8 +996,8 @@ file are evaluated as template code, within the current context::
{% ssi '/home/html/ljworld.com/includes/right_generic.html' parsed %}
Note that if you use ``{% ssi %}``, you'll need to define
-:setting:`ALLOWED_INCLUDE_ROOTS` in your Django settings, as a security
-measure.
+``'allowed_include_roots'`` in the :setting:`OPTIONS <TEMPLATES-OPTIONS>` of
+your template engine, as a security measure.
.. note::
With the :ttag:`ssi` tag and the ``parsed`` parameter
diff --git a/docs/releases/1.8.txt b/docs/releases/1.8.txt
index 39fc642690..8ce36fcb6c 100644
--- a/docs/releases/1.8.txt
+++ b/docs/releases/1.8.txt
@@ -1014,6 +1014,14 @@ Related to the previous item, referencing views as strings in the ``url()``
function is deprecated. Pass the callable view as described in the previous
section instead.
+Template-related settings
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+As a consequence of the multiple template engines refactor, several settings
+are deprecated in favor of :setting:`TEMPLATES`:
+
+* ``ALLOWED_INCLUDE_ROOTS``
+
``django.core.context_processors``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff --git a/tests/template_tests/tests.py b/tests/template_tests/tests.py
index 5d4b029430..0466f91c7a 100644
--- a/tests/template_tests/tests.py
+++ b/tests/template_tests/tests.py
@@ -470,28 +470,27 @@ class SSITests(SimpleTestCase):
def setUp(self):
self.this_dir = os.path.dirname(os.path.abspath(upath(__file__)))
self.ssi_dir = os.path.join(self.this_dir, "templates", "first")
+ self.engine = Engine(allowed_include_roots=(self.ssi_dir,))
def render_ssi(self, path):
# the path must exist for the test to be reliable
self.assertTrue(os.path.exists(path))
- return template.Template('{%% ssi "%s" %%}' % path).render(Context())
+ return self.engine.from_string('{%% ssi "%s" %%}' % path).render(Context({}))
def test_allowed_paths(self):
acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
- with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
- self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
+ self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
def test_relative_include_exploit(self):
"""
- May not bypass ALLOWED_INCLUDE_ROOTS with relative paths
+ May not bypass allowed_include_roots with relative paths
- e.g. if ALLOWED_INCLUDE_ROOTS = ("/var/www",), it should not be
+ e.g. if allowed_include_roots = ("/var/www",), it should not be
possible to do {% ssi "/var/www/../../etc/passwd" %}
"""
disallowed_paths = [
os.path.join(self.ssi_dir, "..", "ssi_include.html"),
os.path.join(self.ssi_dir, "..", "second", "test.html"),
]
- with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
- for path in disallowed_paths:
- self.assertEqual(self.render_ssi(path), '')
+ for disallowed_path in disallowed_paths:
+ self.assertEqual(self.render_ssi(disallowed_path), '')