mirror of
https://github.com/django/django.git
synced 2025-06-06 20:19:13 +00:00
Added 1.4.7 release notes
Backport of baec6a26dd from master
This commit is contained in:
parent
87d2750b39
commit
d1dc8a0d00
25
docs/releases/1.4.7.txt
Normal file
25
docs/releases/1.4.7.txt
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
==========================
|
||||||
|
Django 1.4.7 release notes
|
||||||
|
==========================
|
||||||
|
|
||||||
|
*September 10, 2013*
|
||||||
|
|
||||||
|
Django 1.4.7 fixes one security issue present in previous Django releases in
|
||||||
|
the 1.4 series.
|
||||||
|
|
||||||
|
Directory traversal vulnerability in :ttag:`ssi` template tag
|
||||||
|
-------------------------------------------------------------
|
||||||
|
|
||||||
|
In previous versions of Django it was possible to bypass the
|
||||||
|
:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi`
|
||||||
|
template tag by specifying a relative path that starts with one of the allowed
|
||||||
|
roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
|
||||||
|
would be possible:
|
||||||
|
|
||||||
|
.. code-block:: html+django
|
||||||
|
|
||||||
|
{% ssi "/var/www/../../etc/passwd" %}
|
||||||
|
|
||||||
|
In practice this is not a very common problem, as it would require the template
|
||||||
|
author to put the :ttag:`ssi` file in a user-controlled variable, but it's
|
||||||
|
possible in principle.
|
@ -20,6 +20,7 @@ Final releases
|
|||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
|
1.4.7
|
||||||
1.4.6
|
1.4.6
|
||||||
1.4.5
|
1.4.5
|
||||||
1.4.4
|
1.4.4
|
||||||
|
Loading…
x
Reference in New Issue
Block a user