id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
4952	include tag can access files outside of allowed directories	Gary Wilson	Adrian Holovaty	"Issue was brought up in django-dev: http://groups.google.com/group/django-developers/browse_frm/thread/28eac0b3787de93

It's looks like the root of the problem is in the `get_template_sources` functions of both the `app_directories` and `filesystem` template loaders.

{{{
#!python
>>> from django.template.loaders import filesystem
>>> list(filesystem.get_template_sources(""etc/passwd""))
['/home/gdub/checkout/listitall/wishlist/templates/etc/passwd']
>>> list(filesystem.get_template_sources(""/etc/passwd""))
['/etc/passwd']
}}}

Both `get_template_sources` functions make use of `os.path.join`, which has a quirk with absolute paths.  From the [http://docs.python.org/lib/module-os.path.html os.path docs] about `join()`:

""Join one or more path components intelligently. If any component is an absolute path, all previous components (on Windows, including the previous drive letter, if there was one) are thrown away, and joining continues.""

{{{
#!python
>>> os.path.join('/my/template/dir', '/etc/passwd')
'/etc/passwd'
}}}"		closed	Template system	dev		fixed			Ready for checkin	1	0	0	0	0	0