Sophie: python-django-doc-1.11.20-1.mga7 noarch

python-django-doc-1.11.20-1.mga7.noarch.rpm

Info
Deps
Files
Scripts
ChangeLog
Location
Others versions
Analyse

==========================
Django 1.4.7 release notes
==========================

*September 10, 2013*

Django 1.4.7 fixes one security issue present in previous Django releases in
the 1.4 series.

Directory traversal vulnerability in ``ssi`` template tag
=========================================================

In previous versions of Django it was possible to bypass the
``ALLOWED_INCLUDE_ROOTS`` setting used for security with the ``ssi``
template tag by specifying a relative path that starts with one of the allowed
roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
would be possible:

.. code-block:: html+django

    {% ssi "/var/www/../../etc/passwd" %}

In practice this is not a very common problem, as it would require the template
author to put the ``ssi`` file in a user-controlled variable, but it's
possible in principle.