diff options
| author | Tim Graham <timograham@gmail.com> | 2015-08-17 09:34:50 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-09-23 19:31:09 -0400 |
| commit | 04ee4059d71dbc6aa029907e251360eaf00e11bb (patch) | |
| tree | d675a92c2f0beec5e3904c7b02e415d91d8e5c10 /docs | |
| parent | 3af9b70028487be81c4f6ca65ca0d1f2be337e4f (diff) | |
Refs #24022 -- Removed the ssi tag per deprecation timeline.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/internals/deprecation.txt | 8 | ||||
| -rw-r--r-- | docs/ref/checks.txt | 6 | ||||
| -rw-r--r-- | docs/ref/settings.txt | 27 | ||||
| -rw-r--r-- | docs/ref/templates/api.txt | 17 | ||||
| -rw-r--r-- | docs/ref/templates/builtins.txt | 39 | ||||
| -rw-r--r-- | docs/releases/1.3.txt | 15 | ||||
| -rw-r--r-- | docs/releases/1.4.7.txt | 8 | ||||
| -rw-r--r-- | docs/releases/1.5.3.txt | 10 | ||||
| -rw-r--r-- | docs/releases/1.7.txt | 2 | ||||
| -rw-r--r-- | docs/releases/1.8.txt | 2 | ||||
| -rw-r--r-- | docs/topics/templates.txt | 15 |
11 files changed, 26 insertions, 123 deletions
diff --git a/docs/internals/deprecation.txt b/docs/internals/deprecation.txt index 8b9ab3254c..10bced6dea 100644 --- a/docs/internals/deprecation.txt +++ b/docs/internals/deprecation.txt @@ -691,10 +691,10 @@ details on these changes. handling. (This is faster than the usual deprecation path; see the :doc:`Django 1.4 release notes</releases/1.4>`.) -* The :ttag:`url` and :ttag:`ssi` template tags will be - modified so that the first argument to each tag is a template variable, not - an implied string. In 1.4, this behavior is provided by a version of the tag - in the ``future`` template tag library. +* The ``url`` and ``ssi`` template tags will be modified so that the first + argument to each tag is a template variable, not an implied string. In 1.4, + this behavior is provided by a version of the tag in the ``future`` template + tag library. * The ``reset`` and ``sqlreset`` management commands will be removed. diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt index 208e3fb81f..36f0b6222b 100644 --- a/docs/ref/checks.txt +++ b/docs/ref/checks.txt @@ -252,9 +252,9 @@ that might occur as a result of a version upgrade. * **1_8.W001**: The standalone ``TEMPLATE_*`` settings were deprecated in Django 1.8 and the :setting:`TEMPLATES` dictionary takes precedence. You must put the values of the following settings into your defaults ``TEMPLATES`` - dict: :setting:`TEMPLATE_DIRS`, :setting:`ALLOWED_INCLUDE_ROOTS`, - :setting:`TEMPLATE_CONTEXT_PROCESSORS`, :setting:`TEMPLATE_DEBUG`, - :setting:`TEMPLATE_LOADERS`, :setting:`TEMPLATE_STRING_IF_INVALID`. + dict: :setting:`TEMPLATE_DIRS`, :setting:`TEMPLATE_CONTEXT_PROCESSORS`, + :setting:`TEMPLATE_DEBUG`, :setting:`TEMPLATE_LOADERS`, + :setting:`TEMPLATE_STRING_IF_INVALID`. Admin ----- diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 6a398e1c60..a5d8715e69 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -99,32 +99,6 @@ This validation only applies via :meth:`~django.http.HttpRequest.get_host()`; if your code accesses the ``Host`` header directly from ``request.META`` you are bypassing this security protection. -.. setting:: ALLOWED_INCLUDE_ROOTS - -ALLOWED_INCLUDE_ROOTS ---------------------- - -Default: ``[]`` (Empty list) - -.. deprecated:: 1.8 - - This setting, along with the :ttag:`ssi` template tag, is deprecated and - will be removed in Django 1.10. - -.. versionchanged:: 1.8 - - You can also set the ``'allowed_include_roots'`` option in the - :setting:`OPTIONS <TEMPLATES-OPTIONS>` of a ``DjangoTemplates`` backend - instead. - -A list of strings representing allowed prefixes for the ``{% ssi %}`` template -tag. This is a security measure, so that template authors can't access files -that they shouldn't be accessing. - -For example, if :setting:`ALLOWED_INCLUDE_ROOTS` is ``['/home/html', '/var/www']``, -then ``{% ssi /home/html/foo.txt %}`` would work, but ``{% ssi /etc/passwd %}`` -wouldn't. - .. setting:: APPEND_SLASH APPEND_SLASH @@ -3433,7 +3407,6 @@ Serialization Templates --------- -* :setting:`ALLOWED_INCLUDE_ROOTS` * :setting:`TEMPLATES` * :setting:`TEMPLATE_CONTEXT_PROCESSORS` * :setting:`TEMPLATE_DEBUG` diff --git a/docs/ref/templates/api.txt b/docs/ref/templates/api.txt index a8311d30fd..5f6e12934c 100644 --- a/docs/ref/templates/api.txt +++ b/docs/ref/templates/api.txt @@ -48,7 +48,7 @@ probably isn't the documentation you're looking for. An instance of the of that backend and any attribute defaults mentioned below are overridden by what's passed by :class:`~django.template.backends.django.DjangoTemplates`. -.. class:: Engine(dirs=None, app_dirs=False, allowed_include_roots=None, context_processors=None, debug=False, loaders=None, string_if_invalid='', file_charset='utf-8', libraries=None, builtins=None) +.. class:: Engine(dirs=None, app_dirs=False, context_processors=None, debug=False, loaders=None, string_if_invalid='', file_charset='utf-8', libraries=None, builtins=None) .. versionadded:: 1.8 @@ -65,21 +65,6 @@ what's passed by :class:`~django.template.backends.django.DjangoTemplates`. It defaults to ``False``. - * ``allowed_include_roots`` is a list of strings representing allowed - prefixes for the ``{% ssi %}`` template tag. This is a security measure, - so that template authors can't access files that they shouldn't be - accessing. - - For example, if ``'allowed_include_roots'`` is ``['/home/html', - '/var/www']``, then ``{% ssi /home/html/foo.txt %}`` would work, but ``{% - ssi /etc/passwd %}`` wouldn't. - - It defaults to an empty list. - - .. deprecated:: 1.8 - - ``allowed_include_roots`` is deprecated. - * ``context_processors`` is a list of dotted Python paths to callables that are used to populate the context when a template is rendered with a request. These callables take a request object as their argument and diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 359907d261..1da27a18e6 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -958,45 +958,6 @@ this example, the space around ``Hello`` won't be stripped:: </strong> {% endspaceless %} -.. templatetag:: ssi - -ssi -^^^ - -.. deprecated:: 1.8 - - This tag has been deprecated and will be removed in Django 1.10. Use the - :ttag:`include` tag instead. - -Outputs the contents of a given file into the page. - -Like a simple :ttag:`include` tag, ``{% ssi %}`` includes the contents of -another file -- which must be specified using an absolute path -- in the -current page:: - - {% ssi '/home/html/ljworld.com/includes/right_generic.html' %} - -The first parameter of ``ssi`` can be a quoted literal or any other context -variable. - -If the optional ``parsed`` parameter is given, the contents of the included -file are evaluated as template code, within the current context:: - - {% ssi '/home/html/ljworld.com/includes/right_generic.html' parsed %} - -Note that if you use ``{% ssi %}``, you'll need to define -``'allowed_include_roots'`` in the :setting:`OPTIONS <TEMPLATES-OPTIONS>` of -your template engine, as a security measure. - -.. note:: - With the :ttag:`ssi` tag and the ``parsed`` parameter - there is no shared state between files -- each include is a completely - independent rendering process. This means it's not possible for example to - define blocks or alter the context in the current page using the included - file. - -See also: :ttag:`{% include %}<include>`. - .. templatetag:: templatetag templatetag diff --git a/docs/releases/1.3.txt b/docs/releases/1.3.txt index 52790db091..6706a58de2 100644 --- a/docs/releases/1.3.txt +++ b/docs/releases/1.3.txt @@ -730,8 +730,8 @@ and Ctrl-C test termination) have been made redundant. In view of this redundancy, ``DjangoTestRunner`` has been turned into an empty placeholder class, and will be removed entirely in Django 1.5. -Changes to :ttag:`url` and :ttag:`ssi` -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Changes to ``url`` and ``ssi`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Most template tags will allow you to pass in either constants or variables as arguments -- for example:: @@ -745,15 +745,14 @@ context variable ``templ`` that contains the value ``base.html``:: is also legal. -However, due to an accident of history, the :ttag:`url` and -:ttag:`ssi` are different. These tags use the second, quoteless -syntax, but interpret the argument as a constant. This means it isn't -possible to use a context variable as the target of a :ttag:`url` and -:ttag:`ssi` tag. +However, due to an accident of history, the ``url`` and ``ssi`` are different. +These tags use the second, quoteless syntax, but interpret the argument as a +constant. This means it isn't possible to use a context variable as the target +of a ``url`` and ``ssi`` tag. Django 1.3 marks the start of the process to correct this historical accident. Django 1.3 adds a new template library -- ``future`` -- that -provides alternate implementations of the :ttag:`url` and :ttag:`ssi` +provides alternate implementations of the ``url`` and ``ssi`` template tags. This ``future`` library implement behavior that makes the handling of the first argument consistent with the handling of all other variables. So, an existing template that contains:: diff --git a/docs/releases/1.4.7.txt b/docs/releases/1.4.7.txt index 64d308894c..c50d938bc4 100644 --- a/docs/releases/1.4.7.txt +++ b/docs/releases/1.4.7.txt @@ -7,11 +7,11 @@ Django 1.4.7 release notes Django 1.4.7 fixes one security issue present in previous Django releases in the 1.4 series. -Directory traversal vulnerability in :ttag:`ssi` template tag -------------------------------------------------------------- +Directory traversal vulnerability in ``ssi`` template tag +--------------------------------------------------------- In previous versions of Django it was possible to bypass the -:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi` +``ALLOWED_INCLUDE_ROOTS`` setting used for security with the ``ssi`` template tag by specifying a relative path that starts with one of the allowed roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following would be possible: @@ -21,5 +21,5 @@ would be possible: {% ssi "/var/www/../../etc/passwd" %} In practice this is not a very common problem, as it would require the template -author to put the :ttag:`ssi` file in a user-controlled variable, but it's +author to put the ``ssi`` file in a user-controlled variable, but it's possible in principle. diff --git a/docs/releases/1.5.3.txt b/docs/releases/1.5.3.txt index bdf68d5621..3d03eed74a 100644 --- a/docs/releases/1.5.3.txt +++ b/docs/releases/1.5.3.txt @@ -8,11 +8,11 @@ This is Django 1.5.3, the third release in the Django 1.5 series. It addresses one security issue and also contains an opt-in feature to enhance the security of :mod:`django.contrib.sessions`. -Directory traversal vulnerability in :ttag:`ssi` template tag -------------------------------------------------------------- +Directory traversal vulnerability in ``ssi`` template tag +--------------------------------------------------------- In previous versions of Django it was possible to bypass the -:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi` +``ALLOWED_INCLUDE_ROOTS`` setting used for security with the ``ssi`` template tag by specifying a relative path that starts with one of the allowed roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following would be possible: @@ -22,8 +22,8 @@ would be possible: {% ssi "/var/www/../../etc/passwd" %} In practice this is not a very common problem, as it would require the template -author to put the :ttag:`ssi` file in a user-controlled variable, but it's -possible in principle. +author to put the ``ssi`` file in a user-controlled variable, but it's possible +in principle. Mitigating a remote-code execution vulnerability in :mod:`django.contrib.sessions` ---------------------------------------------------------------------------------- diff --git a/docs/releases/1.7.txt b/docs/releases/1.7.txt index ff6043a332..993215ce34 100644 --- a/docs/releases/1.7.txt +++ b/docs/releases/1.7.txt @@ -1734,7 +1734,7 @@ Loading ``ssi`` and ``url`` template tags from ``future`` library Django 1.3 introduced ``{% load ssi from future %}`` and ``{% load url from future %}`` syntax for forward compatibility of the -:ttag:`ssi` and :ttag:`url` template tags. This syntax is now deprecated and +``ssi`` and :ttag:`url` template tags. This syntax is now deprecated and will be removed in Django 1.9. You can simply remove the ``{% load ... from future %}`` tags. diff --git a/docs/releases/1.8.txt b/docs/releases/1.8.txt index a2d98656b6..d13abcabfc 100644 --- a/docs/releases/1.8.txt +++ b/docs/releases/1.8.txt @@ -1654,7 +1654,7 @@ Django 1.10. ``ssi`` template tag ~~~~~~~~~~~~~~~~~~~~ -The :ttag:`ssi` template tag allows files to be included in a template by +The ``ssi`` template tag allows files to be included in a template by absolute path. This is of limited use in most deployment situations, and the :ttag:`include` tag often makes more sense. This tag is now deprecated and will be removed in Django 1.10. diff --git a/docs/topics/templates.txt b/docs/topics/templates.txt index 94ee9904a6..a2ccdb0c9f 100644 --- a/docs/topics/templates.txt +++ b/docs/topics/templates.txt @@ -348,21 +348,6 @@ applications. This generic name was kept for backwards-compatibility. ``DjangoTemplates`` engines accept the following :setting:`OPTIONS <TEMPLATES-OPTIONS>`: -* ``'allowed_include_roots'``: a list of strings representing allowed prefixes - for the ``{% ssi %}`` template tag. This is a security measure, so that - template authors can't access files that they shouldn't be accessing. - - For example, if ``'allowed_include_roots'`` is ``['/home/html', - '/var/www']``, then ``{% ssi /home/html/foo.txt %}`` would work, but ``{% - ssi /etc/passwd %}`` wouldn't. - - It defaults to an empty list. - - .. deprecated:: 1.8 - - ``allowed_include_roots`` is deprecated because the {% ssi %} tag is - deprecated. - * ``'context_processors'``: a list of dotted Python paths to callables that are used to populate the context when a template is rendered with a request. These callables take a request object as their argument and return a |
