Comments
Patch
@@ -83,8 +83,14 @@ class requestcontext(object):
self.configint('web', 'maxfiles', 10))
object.__setattr__(self, 'allowpull',
self.configbool('web', 'allowpull', True))
+ # we use untrusted=False to prevent a repo owner from using
+ # web.templates in .hg/hgrc to get access to any file readable
+ # by the user running the CGI script
+ object.__setattr__(self, 'templatepath',
+ self.config('web', 'templates', untrusted=False))
+
# Proxy unknown reads and writes to the application instance
# until everything is moved to us.
def __getattr__(self, name):
return getattr(self.app, name)
@@ -157,12 +163,8 @@ class hgweb(object):
hook.redirect(True)
self.repostate = None
self.mtime = -1
self.reponame = name
- # we use untrusted=False to prevent a repo owner from using
- # web.templates in .hg/hgrc to get access to any file readable
- # by the user running the CGI script
- self.templatepath = self.config('web', 'templates', untrusted=False)
self.websubtable = webutil.getwebsubs(r)
# The CGI scripts are often run by a user different from the repo owner.
# Trust the settings from the .hg/hgrc files by default.