========================== Django 1.4.7 release notes ========================== *September 10, 2013* Django 1.4.7 fixes one security issue present in previous Django releases in the 1.4 series. Directory traversal vulnerability in :ttag:`ssi` template tag ------------------------------------------------------------- In previous versions of Django it was possible to bypass the :setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi` template tag by specifying a relative path that starts with one of the allowed roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following would be possible: .. code-block:: html+django {% ssi "/var/www/../../etc/passwd" %} In practice this is not a very common problem, as it would require the template author to put the :ttag:`ssi` file in a user-controlled variable, but it's possible in principle.