SmileyChris wrote:
> PS: I can't patch your diffs because they don't use the format which
> TortoiseSVN accepts and the win32 build of patch falls over on it too.
> How are you making them?
I'm making my diffs with Bazaar, using "bzr diff". My unix patch seems
to handle them ok. Sorry about th
On Jul 23, 4:19 pm, Gary Wilson <[EMAIL PROTECTED]> wrote:
> You would be fine, but I wasn't sure if you tested on Windows.
Yea, my development box runs XP.
PS: I can't patch your diffs because they don't use the format which
TortoiseSVN accepts and the win32 build of patch falls over on it too.
H
SmileyChris wrote:
> On Jul 23, 3:53 pm, Gary Wilson <[EMAIL PROTECTED]> wrote:
>> SmileyChris wrote:
>> I think the patch looks good. Can someone please confirm that the
>> latest patch works ok on Windows.
>
> I guess you mean apart from me? ;)
You would be fine, but I wasn't sure if you test
On Jul 23, 3:53 pm, Gary Wilson <[EMAIL PROTECTED]> wrote:
> SmileyChris wrote:
> I think the patch looks good. Can someone please confirm that the
> latest patch works ok on Windows.
I guess you mean apart from me? ;)
--~--~-~--~~~---~--~~
You received this mes
SmileyChris wrote:
> On Jul 22, 6:21 pm, Gary Wilson <[EMAIL PROTECTED]> wrote:
>> It's a bug and not intended behavior. I've opened a ticket and have
>> attached a patch.
>>
>> http://code.djangoproject.com/ticket/4952
>
> I've put up a new patch which is pretty solid and ready for a
> committe
> > This was my feeling also, however I think it is prudent to prevent
> > legitimate users from making mistakes. I don't know about designers,
> > but I have worked with some programmers that just don't think things
> > through like they should...
>
> This tells me they have a much deeper problem
On 7/22/07, oggie rob <[EMAIL PROTECTED]> wrote:
> but everything I can think of is safer & cleaner by restricting
> it to TEMPLATE_DIRS locations (e.g. adding the extra directories, sym
> linking, or just maintaining another copy in an existing TEMPLATE_DIRS
> spot). The advantage is of course th
On 7/22/07, oggie rob <[EMAIL PROTECTED]> wrote:
>
> This was my feeling also, however I think it is prudent to prevent
> legitimate users from making mistakes. I don't know about designers,
> but I have worked with some programmers that just don't think things
> through like they should...
This
> Sort of, but not really. Personally, I don't think there's any secure
> way to allow arbitrary users to upload templates, because there are
> just too many ways to expose something you wouldn't want to expose; if
> you were going to develop a sandboxed version of the template system,
> you'd hav
On 7/22/07, Tai Lee <[EMAIL PROTECTED]> wrote:
> Don't you mean *disallow* use of {% include %} and *enforce* use of {%
> ssi %} (only)? If he has no control over the template code html
> authors are generating, and {% include %} is part of django, those
> template authors would be able to access
On Jul 22, 8:29 am, "James Bennett" <[EMAIL PROTECTED]> wrote:
> I'm personally ambivalent about where the "include" tag should be able
> to search, because I can see cases where it'd be useful to have it
> pull in things that aren't in TEMPLATE_DIRS. If you're interested in
> confining the place
On Jul 22, 6:21 pm, Gary Wilson <[EMAIL PROTECTED]> wrote:
> It's a bug and not intended behavior. I've opened a ticket and have
> attached a patch.
>
> http://code.djangoproject.com/ticket/4952
I've put up a new patch which is pretty solid and ready for a
committer's review.
--~--~-~-
Czubakabra wrote:
> Hi,
> Include tag is vulnerable to directory traversal:
>
> {% include "/etc/passwd" %}
It's a bug and not intended behavior. I've opened a ticket and have
attached a patch.
http://code.djangoproject.com/ticket/4952
Gary
--~--~-~--~~~---~--~--
On 7/21/07, Czubakabra <[EMAIL PROTECTED]> wrote:
> Django templates shoudn`t permit html coder to include files located
> above TEMPLATE_DIRS paths.
> What do you think about it?
I'm personally ambivalent about where the "include" tag should be able
to search, because I can see cases where it'd
Hello,
> Of course, html coders need to accept a certain responsibility because
> sometimes they can access a *lot* of information quite easily. I would
> think if you have a non programmer making changes, the programmers
> would want to at least review those changes before accepting them, in
> a
Perhaps simply by preventing absolute paths? That would be very easy
to change if it doesn't prevent a legitimate setup.
Of course, html coders need to accept a certain responsibility because
sometimes they can access a *lot* of information quite easily. I would
think if you have a non programmer
Hi,
Include tag is vulnerable to directory traversal:
{% include "/etc/passwd" %}
Django templates shoudn`t permit html coder to include files located
above TEMPLATE_DIRS paths.
What do you think about it?
Best regards,
Czubakabra
--~--~-~--~~~---~--~~
You rece
17 matches
Mail list logo
