Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Added 1.4.7 release notes

Backport of baec6a2 from master
  • Loading branch information...
commit d1dc8a0d009436c76321f0a70addf679ebf6ff56 1 parent 87d2750
@timgraham timgraham authored
Showing with 26 additions and 0 deletions.
  1. +25 −0 docs/releases/1.4.7.txt
  2. +1 −0  docs/releases/index.txt
View
25 docs/releases/1.4.7.txt
@@ -0,0 +1,25 @@
+==========================
+Django 1.4.7 release notes
+==========================
+
+*September 10, 2013*
+
+Django 1.4.7 fixes one security issue present in previous Django releases in
+the 1.4 series.
+
+Directory traversal vulnerability in :ttag:`ssi` template tag
+-------------------------------------------------------------
+
+In previous versions of Django it was possible to bypass the
+:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi`
+template tag by specifying a relative path that starts with one of the allowed
+roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
+would be possible:
+
+.. code-block:: html+django
+
+ {% ssi "/var/www/../../etc/passwd" %}
+
+In practice this is not a very common problem, as it would require the template
+author to put the :ttag:`ssi` file in a user-controlled variable, but it's
+possible in principle.
View
1  docs/releases/index.txt
@@ -20,6 +20,7 @@ Final releases
.. toctree::
:maxdepth: 1
+ 1.4.7
1.4.6
1.4.5
1.4.4
Please sign in to comment.
Something went wrong with that request. Please try again.