From 84d7c93feb5ebad83fa88b02779db7e85928f0a8 Mon Sep 17 00:00:00 2001
From: Aymeric Augustin <aymeric.augustin@m4x.org>
Date: Sun, 14 Dec 2014 23:18:38 +0100
Subject: [PATCH] Raised an error when allowed_include_roots is a string.

This avoids leaving projects silently vulnerable when this option is set
to a string instead of a one-item tuple containing that string, a very
common misconfiguration.
---
 django/template/engine.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/django/template/engine.py b/django/template/engine.py
index a76d52c565..9fecabb259 100644
--- a/django/template/engine.py
+++ b/django/template/engine.py
@@ -36,7 +36,11 @@ class Engine(object):
         else:
             if app_dirs:
                 raise ImproperlyConfigured(
-                    "APP_DIRS must not be set when LOADERS is defined.")
+                    "app_dirs must not be set when loaders is defined.")
+
+        if isinstance(allowed_include_roots, six.string_types):
+            raise ImproperlyConfigured(
+                "allowed_include_roots must be a tuple, not a string.")
 
         self.dirs = dirs
         self.app_dirs = app_dirs