Commit d1dc8a0d authored by Tim Graham's avatar Tim Graham
Browse files

Added 1.4.7 release notes 

Backport of baec6a26 from master
parent 87d2750b

docs/releases/1.4.7.txt

0 → 100644
+25 −0
Original line number Diff line number Diff line 
==========================

Django 1.4.7 release notes

==========================



*September 10, 2013*



Django 1.4.7 fixes one security issue present in previous Django releases in

the 1.4 series.



Directory traversal vulnerability in :ttag:`ssi` template tag

-------------------------------------------------------------



In previous versions of Django it was possible to bypass the

:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi`

template tag by specifying a relative path that starts with one of the allowed

roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following

would be possible:



.. code-block:: html+django



    {% ssi "/var/www/../../etc/passwd" %}



In practice this is not a very common problem, as it would require the template

author to put the :ttag:`ssi` file in a user-controlled variable, but it's

possible in principle.

docs/releases/index.txt

+1 −0
Original line number Diff line number Diff line
@@ -20,6 +20,7 @@ Final releases 
.. toctree::

   :maxdepth: 1



   1.4.7

   1.4.6

   1.4.5

   1.4.4