From d1dc8a0d009436c76321f0a70addf679ebf6ff56 Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Fri, 23 Aug 2013 06:49:37 -0400
Subject: [PATCH] Added 1.4.7 release notes

Backport of baec6a26dd from master
---
 docs/releases/1.4.7.txt | 25 +++++++++++++++++++++++++
 docs/releases/index.txt |  1 +
 2 files changed, 26 insertions(+)
 create mode 100644 docs/releases/1.4.7.txt

diff --git a/docs/releases/1.4.7.txt b/docs/releases/1.4.7.txt
new file mode 100644
index 0000000000..64d308894c
--- /dev/null
+++ b/docs/releases/1.4.7.txt
@@ -0,0 +1,25 @@
+==========================
+Django 1.4.7 release notes
+==========================
+
+*September 10, 2013*
+
+Django 1.4.7 fixes one security issue present in previous Django releases in
+the 1.4 series.
+
+Directory traversal vulnerability in :ttag:`ssi` template tag
+-------------------------------------------------------------
+
+In previous versions of Django it was possible to bypass the
+:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi`
+template tag by specifying a relative path that starts with one of the allowed
+roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
+would be possible:
+
+.. code-block:: html+django
+
+    {% ssi "/var/www/../../etc/passwd" %}
+
+In practice this is not a very common problem, as it would require the template
+author to put the :ttag:`ssi` file in a user-controlled variable, but it's
+possible in principle.
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index 68384c2ee9..0a4198bcb5 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -20,6 +20,7 @@ Final releases
 .. toctree::
    :maxdepth: 1
 
+   1.4.7
    1.4.6
    1.4.5
    1.4.4