September 10, 2013
Django 1.4.7 fixes one security issue present in previous Django releases in the 1.4 series.
ssi
template tag¶In previous versions of Django it was possible to bypass the
ALLOWED_INCLUDE_ROOTS
setting used for security with the ssi
template tag by specifying a relative path that starts with one of the allowed
roots. For example, if ALLOWED_INCLUDE_ROOTS = ("/var/www",)
the following
would be possible:
{% ssi "/var/www/../../etc/passwd" %}
In practice this is not a very common problem, as it would require the template
author to put the ssi
file in a user-controlled variable, but it's
possible in principle.
Jan 15, 2024