Hi Tim, On 12/24/2014 01:35 PM, Tim Graham wrote: > I was hoping to get clarification on what security model we intend to > support for template authors. In ticket #12772 > <https://code.djangoproject.com/ticket/12772> it's proposed to allow > loading template tags using a dotted Python path. This would allow template > authors to trigger imports of anything on the Python path. I am not sure > the requirement to add a template tag library to INSTALLED_APPS is a big > burden these days (e.g. there is no more need to create an empty models.py > file), but perhaps I don't fully understand the ticket's rationale for > proposing these changes.
I don't believe that we should claim that the DTL is secure against untrusted template authors (I don't think it is, though I haven't taken time to really investigate), but I also don't believe we should merge the proposed patch from #12772, for the other reasons I mentioned in a comment on the ticket. Carl -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/54A0C603.6030006%40oddbird.net. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
