Mercurial > p > roundup > code
changeset 5147:d16ba6e6624b
upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 14 Jul 2016 21:43:17 -0400 |
| parents | 153833fe124f |
| children | 71643a839c80 |
| files | CHANGES.txt doc/upgrading.txt |
| diffstat | 2 files changed, 19 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Thu Jul 14 19:24:31 2016 -0400 +++ b/CHANGES.txt Thu Jul 14 21:43:17 2016 -0400 @@ -291,7 +291,8 @@ with a specific name is created in the html subdirectory, the template name in the url can be used to get access to files outside of the tracker html directory. This has been fixed by normalizing - the path and comparing to the normalized path for the html directory. + the path and comparing to the normalized path for the html + directory. See ``doc/upgrading.txt``. (John Rouillard) 2016-01-11: 1.5.1
--- a/doc/upgrading.txt Thu Jul 14 19:24:31 2016 -0400 +++ b/doc/upgrading.txt Thu Jul 14 21:43:17 2016 -0400 @@ -23,6 +23,23 @@ Migrating from 1.5.1 to 1.6.0 ============================= +Fix for path traversal changes template resolution +-------------------------------------------------- + +The templates in the tracker's html subdirectory must not be +symbolic links that lead outside of the html directory. + +If you don't use symbolic links for templates in your html +subdirectory you don't have to make any changes. Otherwise you need to +replace the symbolic links with hard links to the files or replace the +symbolic links with the files. + +This is a side effect of fixing a path traversal security issue. The +security issue required a directory with a specific unusual name. This +made it difficult to exploit. However allowing the use of +subdirectories to organize the templates required that it be fixed. + + Database back end specified in config.ini -----------------------------------------