Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 5147:d16ba6e6624b
upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 14 Jul 2016 21:43:17 -0400 |
| parents | 1c90f15a177f |
| children | f608eeecf638 |
comparison
equal
deleted
inserted
replaced
| 5146:153833fe124f | 5147:d16ba6e6624b |
|---|---|
| 20 .. contents:: | 20 .. contents:: |
| 21 :local: | 21 :local: |
| 22 | 22 |
| 23 Migrating from 1.5.1 to 1.6.0 | 23 Migrating from 1.5.1 to 1.6.0 |
| 24 ============================= | 24 ============================= |
| 25 | |
| 26 Fix for path traversal changes template resolution | |
| 27 -------------------------------------------------- | |
| 28 | |
| 29 The templates in the tracker's html subdirectory must not be | |
| 30 symbolic links that lead outside of the html directory. | |
| 31 | |
| 32 If you don't use symbolic links for templates in your html | |
| 33 subdirectory you don't have to make any changes. Otherwise you need to | |
| 34 replace the symbolic links with hard links to the files or replace the | |
| 35 symbolic links with the files. | |
| 36 | |
| 37 This is a side effect of fixing a path traversal security issue. The | |
| 38 security issue required a directory with a specific unusual name. This | |
| 39 made it difficult to exploit. However allowing the use of | |
| 40 subdirectories to organize the templates required that it be fixed. | |
| 41 | |
| 25 | 42 |
| 26 Database back end specified in config.ini | 43 Database back end specified in config.ini |
| 27 ----------------------------------------- | 44 ----------------------------------------- |
| 28 | 45 |
| 29 The ``db/backend_name`` file is no longer used to configure the database | 46 The ``db/backend_name`` file is no longer used to configure the database |