Raised an error when allowed_include_roots is a string.

This avoids leaving projects silently vulnerable when this option is set to a string instead of a one-item tuple containing that string, a very common misconfiguration.
author: Aymeric Augustin <aymeric.augustin@m4x.org> 2014-12-14 23:18:38 +0100
committer: Aymeric Augustin <aymeric.augustin@m4x.org> 2014-12-28 17:02:29 +0100
commit: 84d7c93feb5ebad83fa88b02779db7e85928f0a8 (patch)
tree: c8f2b6ba7830cedf5799922121447a448c29e20e /django/template
parent: cf1f36bb6eb34fafe6c224003ad585a647f6117b (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/django/template/engine.py b/django/template/engine.py
index a76d52c565..9fecabb259 100644
--- a/django/template/engine.py
+++ b/django/template/engine.py
@@ -36,7 +36,11 @@ class Engine(object):
         else:
             if app_dirs:
                 raise ImproperlyConfigured(
-                    "APP_DIRS must not be set when LOADERS is defined.")
+                    "app_dirs must not be set when loaders is defined.")
+
+        if isinstance(allowed_include_roots, six.string_types):
+            raise ImproperlyConfigured(
+                "allowed_include_roots must be a tuple, not a string.")
 
         self.dirs = dirs
         self.app_dirs = app_dirs
author	Aymeric Augustin <aymeric.augustin@m4x.org>	2014-12-14 23:18:38 +0100
committer	Aymeric Augustin <aymeric.augustin@m4x.org>	2014-12-28 17:02:29 +0100
commit	84d7c93feb5ebad83fa88b02779db7e85928f0a8 (patch)
tree	c8f2b6ba7830cedf5799922121447a448c29e20e /django/template
parent	cf1f36bb6eb34fafe6c224003ad585a647f6117b (diff)