Skip to content
Browse files

Added 1.4.7 release notes

Backport of baec6a2 from master
  • Loading branch information...
1 parent 87d2750 commit d1dc8a0d009436c76321f0a70addf679ebf6ff56 @timgraham timgraham committed
Showing with 26 additions and 0 deletions.
  1. +25 −0 docs/releases/1.4.7.txt
  2. +1 −0 docs/releases/index.txt
View
25 docs/releases/1.4.7.txt
@@ -0,0 +1,25 @@
+==========================
+Django 1.4.7 release notes
+==========================
+
+*September 10, 2013*
+
+Django 1.4.7 fixes one security issue present in previous Django releases in
+the 1.4 series.
+
+Directory traversal vulnerability in :ttag:`ssi` template tag
+-------------------------------------------------------------
+
+In previous versions of Django it was possible to bypass the
+:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi`
+template tag by specifying a relative path that starts with one of the allowed
+roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
+would be possible:
+
+.. code-block:: html+django
+
+ {% ssi "/var/www/../../etc/passwd" %}
+
+In practice this is not a very common problem, as it would require the template
+author to put the :ttag:`ssi` file in a user-controlled variable, but it's
+possible in principle.
View
1 docs/releases/index.txt
@@ -20,6 +20,7 @@ Final releases
.. toctree::
:maxdepth: 1
+ 1.4.7
1.4.6
1.4.5
1.4.4

0 comments on commit d1dc8a0

Please sign in to comment.
Something went wrong with that request. Please try again.