From patchwork Sat Sep 16 18:28:30 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [23,of,23] hgwebdir: read 'web.template' untrusted
From: Boris Feld <boris.feld@octobus.net>
X-Patchwork-Id: 23975
Message-Id: <57231a130210d31431b7.1505586510@FB>
To: mercurial-devel@mercurial-scm.org
Cc: boris.feld@octobus.net
Date: Sat, 16 Sep 2017 20:28:30 +0200

# HG changeset patch
# User Boris Feld <boris.feld@octobus.net>
# Date 1505494670 -7200
#      ven. sept. 15 18:57:50 2017 +0200
# Node ID 57231a130210d31431b727a74d91165c7802d387
# Parent  93a8e90493a27207b281f1bcf19bdf0ae6d115ca
# EXP-Topic config.cleanup
hgwebdir: read 'web.template' untrusted

The 'hgweb_mod.py' version of this read it untrusted. For consistency we align
the two versions of this code.

diff -r 93a8e90493a2 -r 57231a130210 mercurial/hgweb/hgwebdir_mod.py
--- a/mercurial/hgweb/hgwebdir_mod.py	ven. juin 30 03:45:53 2017 +0200
+++ b/mercurial/hgweb/hgwebdir_mod.py	ven. sept. 15 18:57:50 2017 +0200
@@ -174,7 +174,7 @@
         self.ui = u
         encoding.encoding = self.ui.config('web', 'encoding')
         self.style = self.ui.config('web', 'style')
-        self.templatepath = self.ui.config('web', 'templates')
+        self.templatepath = self.ui.config('web', 'templates', untrusted=False)
         self.stripecount = self.ui.config('web', 'stripes')
         if self.stripecount:
             self.stripecount = int(self.stripecount)