From d1dc8a0d009436c76321f0a70addf679ebf6ff56 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Fri, 23 Aug 2013 06:49:37 -0400 Subject: [PATCH] Added 1.4.7 release notes Backport of baec6a26dd from master --- docs/releases/1.4.7.txt | 25 +++++++++++++++++++++++++ docs/releases/index.txt | 1 + 2 files changed, 26 insertions(+) create mode 100644 docs/releases/1.4.7.txt diff --git a/docs/releases/1.4.7.txt b/docs/releases/1.4.7.txt new file mode 100644 index 0000000000..64d308894c --- /dev/null +++ b/docs/releases/1.4.7.txt @@ -0,0 +1,25 @@ +========================== +Django 1.4.7 release notes +========================== + +*September 10, 2013* + +Django 1.4.7 fixes one security issue present in previous Django releases in +the 1.4 series. + +Directory traversal vulnerability in :ttag:`ssi` template tag +------------------------------------------------------------- + +In previous versions of Django it was possible to bypass the +:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi` +template tag by specifying a relative path that starts with one of the allowed +roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following +would be possible: + +.. code-block:: html+django + + {% ssi "/var/www/../../etc/passwd" %} + +In practice this is not a very common problem, as it would require the template +author to put the :ttag:`ssi` file in a user-controlled variable, but it's +possible in principle. diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 68384c2ee9..0a4198bcb5 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -20,6 +20,7 @@ Final releases .. toctree:: :maxdepth: 1 + 1.4.7 1.4.6 1.4.5 1.4.4