id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 4952 include tag can access files outside of allowed directories Gary Wilson Adrian Holovaty "Issue was brought up in django-dev: http://groups.google.com/group/django-developers/browse_frm/thread/28eac0b3787de93 It's looks like the root of the problem is in the `get_template_sources` functions of both the `app_directories` and `filesystem` template loaders. {{{ #!python >>> from django.template.loaders import filesystem >>> list(filesystem.get_template_sources(""etc/passwd"")) ['/home/gdub/checkout/listitall/wishlist/templates/etc/passwd'] >>> list(filesystem.get_template_sources(""/etc/passwd"")) ['/etc/passwd'] }}} Both `get_template_sources` functions make use of `os.path.join`, which has a quirk with absolute paths. From the [http://docs.python.org/lib/module-os.path.html os.path docs] about `join()`: ""Join one or more path components intelligently. If any component is an absolute path, all previous components (on Windows, including the previous drive letter, if there was one) are thrown away, and joining continues."" {{{ #!python >>> os.path.join('/my/template/dir', '/etc/passwd') '/etc/passwd' }}}" closed Template system dev fixed Ready for checkin 1 0 0 0 0 0