我的书签
添加书签
移除书签Django 1.4.7 release notes
September 10, 2013
Django 1.4.7 fixes one security issue present in previous Django releases in the 1.4 series.
Directory traversal vulnerability in ssi template tag
In previous versions of Django it was possible to bypass the ALLOWED_INCLUDE_ROOTS setting used for security with the ssi template tag by specifying a relative path that starts with one of the allowed roots. For example, if ALLOWED_INCLUDE_ROOTS = ("/var/www",) the following would be possible:
{% ssi "/var/www/../../etc/passwd" %}
In practice this is not a very common problem, as it would require the template author to put the ssi file in a user-controlled variable, but it’s possible in principle.
