upgrade CHANGES.txt and doc/upgrading.txt with additional info about implications of fixing path traversal bug in d22eb1d40d0e

rouilj · rouilj · commit 9890c568df7e · 2016-07-14T21:43:17.000-04:00
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -291,7 +291,8 @@ Fixed:
   with a specific name is created in the html subdirectory, the
   template name in the url can be used to get access to files outside
   of the tracker html directory. This has been fixed by normalizing
-  the path and comparing to the normalized path for the html directory.
+  the path and comparing to the normalized path for the html
+  directory. See ``doc/upgrading.txt``. (John Rouillard)
 
 2016-01-11: 1.5.1
 
diff --git a/doc/upgrading.txt b/doc/upgrading.txt
@@ -23,6 +23,23 @@ Contents:
 Migrating from 1.5.1 to 1.6.0
 =============================
 
+Fix for path traversal changes template resolution
+--------------------------------------------------
+
+The templates in the tracker's html subdirectory must not be
+symbolic links that lead outside of the html directory.
+
+If you don't use symbolic links for templates in your html
+subdirectory you don't have to make any changes. Otherwise you need to
+replace the symbolic links with hard links to the files or replace the
+symbolic links with the files.
+
+This is a side effect of fixing a path traversal security issue.  The
+security issue required a directory with a specific unusual name. This
+made it difficult to exploit. However allowing the use of
+subdirectories to organize the templates required that it be fixed.
+
+
 Database back end specified in config.ini
 -----------------------------------------
 
