diff options
Diffstat (limited to 'docs/releases/1.4.7.txt')
| -rw-r--r-- | docs/releases/1.4.7.txt | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/docs/releases/1.4.7.txt b/docs/releases/1.4.7.txt new file mode 100644 index 0000000000..64d308894c --- /dev/null +++ b/docs/releases/1.4.7.txt @@ -0,0 +1,25 @@ +========================== +Django 1.4.7 release notes +========================== + +*September 10, 2013* + +Django 1.4.7 fixes one security issue present in previous Django releases in +the 1.4 series. + +Directory traversal vulnerability in :ttag:`ssi` template tag +------------------------------------------------------------- + +In previous versions of Django it was possible to bypass the +:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi` +template tag by specifying a relative path that starts with one of the allowed +roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following +would be possible: + +.. code-block:: html+django + + {% ssi "/var/www/../../etc/passwd" %} + +In practice this is not a very common problem, as it would require the template +author to put the :ttag:`ssi` file in a user-controlled variable, but it's +possible in principle. |