diff options
| author | Tim Graham <timograham@gmail.com> | 2013-08-23 06:49:37 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2013-09-10 21:09:47 -0400 |
| commit | d1dc8a0d009436c76321f0a70addf679ebf6ff56 (patch) | |
| tree | 1cc6bf079385be0717c7baf1ae4e69db1c02f1d0 | |
| parent | 87d2750b39f6f2d54b7047225521a44dcd37e896 (diff) | |
Added 1.4.7 release notes
Backport of baec6a26dd from master
| -rw-r--r-- | docs/releases/1.4.7.txt | 25 | ||||
| -rw-r--r-- | docs/releases/index.txt | 1 |
2 files changed, 26 insertions, 0 deletions
diff --git a/docs/releases/1.4.7.txt b/docs/releases/1.4.7.txt new file mode 100644 index 0000000000..64d308894c --- /dev/null +++ b/docs/releases/1.4.7.txt @@ -0,0 +1,25 @@ +========================== +Django 1.4.7 release notes +========================== + +*September 10, 2013* + +Django 1.4.7 fixes one security issue present in previous Django releases in +the 1.4 series. + +Directory traversal vulnerability in :ttag:`ssi` template tag +------------------------------------------------------------- + +In previous versions of Django it was possible to bypass the +:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi` +template tag by specifying a relative path that starts with one of the allowed +roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following +would be possible: + +.. code-block:: html+django + + {% ssi "/var/www/../../etc/passwd" %} + +In practice this is not a very common problem, as it would require the template +author to put the :ttag:`ssi` file in a user-controlled variable, but it's +possible in principle. diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 68384c2ee9..0a4198bcb5 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -20,6 +20,7 @@ Final releases .. toctree:: :maxdepth: 1 + 1.4.7 1.4.6 1.4.5 1.4.4 |