Django 1.7.2.dev20141217000106 documentation

Home | Table of contents | Index | Modules

« previous | up | next »

Django 1.4.7 release notes¶

September 10, 2013

Django 1.4.7 fixes one security issue present in previous Django releases in the 1.4 series.

Directory traversal vulnerability in `ssi` template tag¶

In previous versions of Django it was possible to bypass the ALLOWED_INCLUDE_ROOTS setting used for security with the ssi template tag by specifying a relative path that starts with one of the allowed roots. For example, if ALLOWED_INCLUDE_ROOTS = ("/var/www",) the following would be possible:

{% ssi "/var/www/../../etc/passwd" %}

In practice this is not a very common problem, as it would require the template author to put the ssi file in a user-controlled variable, but it’s possible in principle.

Table Of Contents

Django 1.4.7 release notes
- Directory traversal vulnerability in ssi template tag

Browse

Prev: Django 1.4.8 release notes
Next: Django 1.4.6 release notes

You are here:

Django 1.7.2.dev20141217000106 documentation
- Release notes
  - Django 1.4.7 release notes

This Page

Last update:

Dec 16, 2014

« previous | up | next »