Added 1.4.7/1.5.3 release notes

author: Tim Graham <timograham@gmail.com> 2013-08-23 06:49:37 -0400
committer: Tim Graham <timograham@gmail.com> 2013-09-10 21:07:22 -0400
commit: baec6a26dd259a0b41f59fa123f7675d8e05de61 (patch)
tree: c1df82675211b5b23706936051282d6a88fa3d4c /docs/releases/1.4.7.txt
parent: 7fe5b656c9d4f54d70b83edaa6225115805a2325 (diff)
download: django-baec6a26dd259a0b41f59fa123f7675d8e05de61.tar.gz
1 files changed, 25 insertions, 0 deletions
diff --git a/docs/releases/1.4.7.txt b/docs/releases/1.4.7.txt
new file mode 100644
index 0000000000..64d308894c
--- /dev/null
+++ b/docs/releases/1.4.7.txt
@@ -0,0 +1,25 @@
+==========================
+Django 1.4.7 release notes
+==========================
+
+*September 10, 2013*
+
+Django 1.4.7 fixes one security issue present in previous Django releases in
+the 1.4 series.
+
+Directory traversal vulnerability in :ttag:`ssi` template tag
+-------------------------------------------------------------
+
+In previous versions of Django it was possible to bypass the
+:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi`
+template tag by specifying a relative path that starts with one of the allowed
+roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
+would be possible:
+
+.. code-block:: html+django
+
+    {% ssi "/var/www/../../etc/passwd" %}
+
+In practice this is not a very common problem, as it would require the template
+author to put the :ttag:`ssi` file in a user-controlled variable, but it's
+possible in principle.
author	Tim Graham <timograham@gmail.com>	2013-08-23 06:49:37 -0400
committer	Tim Graham <timograham@gmail.com>	2013-09-10 21:07:22 -0400
commit	baec6a26dd259a0b41f59fa123f7675d8e05de61 (patch)
tree	c1df82675211b5b23706936051282d6a88fa3d4c /docs/releases/1.4.7.txt
parent	7fe5b656c9d4f54d70b83edaa6225115805a2325 (diff)
download	django-baec6a26dd259a0b41f59fa123f7675d8e05de61.tar.gz