Mercurial > p > roundup > code
diff doc/upgrading.txt @ 5147:d16ba6e6624b
upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 14 Jul 2016 21:43:17 -0400 |
| parents | 1c90f15a177f |
| children | f608eeecf638 |
line wrap: on
line diff
--- a/doc/upgrading.txt Thu Jul 14 19:24:31 2016 -0400 +++ b/doc/upgrading.txt Thu Jul 14 21:43:17 2016 -0400 @@ -23,6 +23,23 @@ Migrating from 1.5.1 to 1.6.0 ============================= +Fix for path traversal changes template resolution +-------------------------------------------------- + +The templates in the tracker's html subdirectory must not be +symbolic links that lead outside of the html directory. + +If you don't use symbolic links for templates in your html +subdirectory you don't have to make any changes. Otherwise you need to +replace the symbolic links with hard links to the files or replace the +symbolic links with the files. + +This is a side effect of fixing a path traversal security issue. The +security issue required a directory with a specific unusual name. This +made it difficult to exploit. However allowing the use of +subdirectories to organize the templates required that it be fixed. + + Database back end specified in config.ini -----------------------------------------