Perhaps simply by preventing absolute paths? That would be very easy
to change if it doesn't prevent a legitimate setup.
Of course, html coders need to accept a certain responsibility because
sometimes they can access a *lot* of information quite easily. I would
think if you have a non programmer making changes, the programmers
would want to at least review those changes before accepting them, in
addition to a reasonable API.
-rob
On Jul 21, 9:07 am, Czubakabra <[EMAIL PROTECTED]> wrote:
> Hi,
> Include tag is vulnerable to directory traversal:
>
> {% include "/etc/passwd" %}
>
> Django templates shoudn`t permit html coder to include files located
> above TEMPLATE_DIRS paths.
> What do you think about it?
>
> Best regards,
> Czubakabra
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
