1. ==========================

  2. Django 1.4.7 release notes

  3. ==========================

  4. 

  5. *September 10, 2013*

  6. 

  7. Django 1.4.7 fixes one security issue present in previous Django releases in

  8. the 1.4 series.

  9. 

  10. Directory traversal vulnerability in ``ssi`` template tag

  11. =========================================================

  12. 

  13. In previous versions of Django it was possible to bypass the

  14. ``ALLOWED_INCLUDE_ROOTS`` setting used for security with the ``ssi``

  15. template tag by specifying a relative path that starts with one of the allowed

  16. roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following

  17. would be possible:

  18. 

  19. .. code-block:: html+django

  20. 

  21.     {% ssi "/var/www/../../etc/passwd" %}

  22. 

  23. In practice this is not a very common problem, as it would require the template

  24. author to put the ``ssi`` file in a user-controlled variable, but it's

  25. possible in principle.
About Sign Up Leave Feedback Contact