10 年之前 · 3dc01aaaaf
--- a/docs/howto/deployment/checklist.txt
+++ b/docs/howto/deployment/checklist.txt
@@ -232,14 +232,6 @@ details about the default templates:
 
				 * :ref:`http_forbidden_view`
			
 
				 * :ref:`http_bad_request_view`
			
 
				 
			
 
				-Miscellaneous
			
 
				-=============
			
 
				-
			
 
				-:setting:`ALLOWED_INCLUDE_ROOTS`
			
 
				---------------------------------
			
 
				-
			
 
				-This setting is required if you're using the :ttag:`ssi` template tag.
			
 
				-
			
 
				 Python Options
			
 
				 ==============
			
 
				 
			
--- a/docs/internals/deprecation.txt
+++ b/docs/internals/deprecation.txt
@@ -87,6 +87,10 @@ details on these changes.
 
				 * The backwards compatibility shim to allow ``FormMixin.get_form()`` to be
			
 
				   defined with no default value for its ``form_class`` argument will be removed.
			
 
				 
			
 
				+* The following settings will be removed:
			
 
				+
			
 
				+  * ``ALLOWED_INCLUDE_ROOTS``
			
 
				+
			
 
				 * The backwards compatibility alias ``django.template.loader.BaseLoader`` will
			
 
				   be removed.
			
 
				 
			
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -123,6 +123,11 @@ ALLOWED_INCLUDE_ROOTS
 
				 
			
 
				 Default: ``()`` (Empty tuple)
			
 
				 
			
 
				+.. deprecated:: 1.8
			
 
				+
			
 
				+    Set the ``'allowed_include_roots'`` option in the :setting:`OPTIONS
			
 
				+    <TEMPLATES-OPTIONS>` of a ``DjangoTemplates`` backend instead.
			
 
				+
			
 
				 A tuple of strings representing allowed prefixes for the ``{% ssi %}`` template
			
 
				 tag. This is a security measure, so that template authors can't access files
			
 
				 that they shouldn't be accessing.
			
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -996,8 +996,8 @@ file are evaluated as template code, within the current context::
 
				     {% ssi '/home/html/ljworld.com/includes/right_generic.html' parsed %}
			
 
				 
			
 
				 Note that if you use ``{% ssi %}``, you'll need to define
			
 
				-:setting:`ALLOWED_INCLUDE_ROOTS` in your Django settings, as a security
			
 
				-measure.
			
 
				+``'allowed_include_roots'`` in the :setting:`OPTIONS <TEMPLATES-OPTIONS>` of
			
 
				+your template engine, as a security measure.
			
 
				 
			
 
				 .. note::
			
 
				     With the :ttag:`ssi` tag and the ``parsed`` parameter
			
--- a/docs/releases/1.8.txt
+++ b/docs/releases/1.8.txt
@@ -1014,6 +1014,14 @@ Related to the previous item, referencing views as strings in the ``url()``
 
				 function is deprecated. Pass the callable view as described in the previous
			
 
				 section instead.
			
 
				 
			
 
				+Template-related settings
			
 
				+~~~~~~~~~~~~~~~~~~~~~~~~~
			
 
				+
			
 
				+As a consequence of the multiple template engines refactor, several settings
			
 
				+are deprecated in favor of :setting:`TEMPLATES`:
			
 
				+
			
 
				+* ``ALLOWED_INCLUDE_ROOTS``
			
 
				+
			
 
				 ``django.core.context_processors``
			
 
				 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
			
 
				 
			
--- a/tests/template_tests/tests.py
+++ b/tests/template_tests/tests.py
@@ -470,28 +470,27 @@ class SSITests(SimpleTestCase):
 
				     def setUp(self):
			
 
				         self.this_dir = os.path.dirname(os.path.abspath(upath(__file__)))
			
 
				         self.ssi_dir = os.path.join(self.this_dir, "templates", "first")
			
 
				+        self.engine = Engine(allowed_include_roots=(self.ssi_dir,))
			
 
				 
			
 
				     def render_ssi(self, path):
			
 
				         # the path must exist for the test to be reliable
			
 
				         self.assertTrue(os.path.exists(path))
			
 
				-        return template.Template('{%% ssi "%s" %%}' % path).render(Context())
			
 
				+        return self.engine.from_string('{%% ssi "%s" %%}' % path).render(Context({}))
			
 
				 
			
 
				     def test_allowed_paths(self):
			
 
				         acceptable_path = os.path.join(self.ssi_dir, "..", "first", "test.html")
			
 
				-        with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
			
 
				-            self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
			
 
				+        self.assertEqual(self.render_ssi(acceptable_path), 'First template\n')
			
 
				 
			
 
				     def test_relative_include_exploit(self):
			
 
				         """
			
 
				-        May not bypass ALLOWED_INCLUDE_ROOTS with relative paths
			
 
				+        May not bypass allowed_include_roots with relative paths
			
 
				 
			
 
				-        e.g. if ALLOWED_INCLUDE_ROOTS = ("/var/www",), it should not be
			
 
				+        e.g. if allowed_include_roots = ("/var/www",), it should not be
			
 
				         possible to do {% ssi "/var/www/../../etc/passwd" %}
			
 
				         """
			
 
				         disallowed_paths = [
			
 
				             os.path.join(self.ssi_dir, "..", "ssi_include.html"),
			
 
				             os.path.join(self.ssi_dir, "..", "second", "test.html"),
			
 
				         ]
			
 
				-        with override_settings(ALLOWED_INCLUDE_ROOTS=(self.ssi_dir,)):
			
 
				-            for path in disallowed_paths:
			
 
				-                self.assertEqual(self.render_ssi(path), '')
			
 
				+        for disallowed_path in disallowed_paths:
			
 
				+            self.assertEqual(self.render_ssi(disallowed_path), '')