#12772: Allow loading template tags by fully qualified python module path
---------------------------------+------------------------------------
Reporter: patrys | Owner: patrys
Type: New feature | Status: assigned
Component: Template system | Version: 1.2-beta
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
---------------------------------+------------------------------------
Comment (by timgraham):
I am not entirely convinced either way about the security concerns. For
example, the documentation says we have `settings.ALLOWED_INCLUDE_ROOTS`
because "This is a security measure, so that template authors can’t access
files that they shouldn’t be accessing. It seems this opens up the same
sort of issue where template authors can load arbitrary Python packages
which shouldn't (but may) have side effects. It would be helpful to run
this by the mailing list and see if a consensus emerges.
After that (assuming this isn't rejected), the patch needs to be updated
to apply cleanly to master and then the Trac flags update so the patch
appears in the review queue.
--
Ticket URL: <https://code.djangoproject.com/ticket/12772#comment:25>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/064.10a66d21274ab3d5b6b29765ab85f6c0%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
