James P. Turk discovered that the ReST renderer in django-markupfield, a custom Django field for easy use of markup in text fields, didn"t disable the ..raw directive, allowing remote attackers to include arbitrary files.