Patchwork [STABLE] hgwebdir: read 'web.template' untrusted

login
register
mail settings
Submitter Boris Feld
Date Sept. 18, 2017, 8:04 a.m.
Message ID <19e507500cec6a3cf500.1505721869@FB>
Download mbox | patch
Permalink /patch/23983/
State Accepted
Headers show

Comments

Boris Feld - Sept. 18, 2017, 8:04 a.m.
# HG changeset patch
# User Boris Feld <boris.feld@octobus.net>
# Date 1505494670 -7200
#      ven. sept. 15 18:57:50 2017 +0200
# Branch stable
# Node ID 19e507500cec6a3cf5008bbf9ce73d194cc7c250
# Parent  1908dc95863957aa1a8375c91bd02d1c7bb3d577
hgwebdir: read 'web.template' untrusted

The 'hgweb_mod.py' version of this read it untrusted. For consistency we align
the two versions of this code.
Augie Fackler - Sept. 18, 2017, 3:46 p.m.
On Mon, Sep 18, 2017 at 10:04:29AM +0200, Boris Feld wrote:
> # HG changeset patch
> # User Boris Feld <boris.feld@octobus.net>
> # Date 1505494670 -7200
> #      ven. sept. 15 18:57:50 2017 +0200
> # Branch stable
> # Node ID 19e507500cec6a3cf5008bbf9ce73d194cc7c250
> # Parent  1908dc95863957aa1a8375c91bd02d1c7bb3d577
> hgwebdir: read 'web.template' untrusted

queued for stable, thanks

Patch

diff -r 1908dc958639 -r 19e507500cec mercurial/hgweb/hgwebdir_mod.py
--- a/mercurial/hgweb/hgwebdir_mod.py	lun. sept. 11 15:59:18 2017 -0700
+++ b/mercurial/hgweb/hgwebdir_mod.py	ven. sept. 15 18:57:50 2017 +0200
@@ -173,7 +173,8 @@ 
         encoding.encoding = self.ui.config('web', 'encoding',
                                            encoding.encoding)
         self.style = self.ui.config('web', 'style', 'paper')
-        self.templatepath = self.ui.config('web', 'templates', None)
+        self.templatepath = self.ui.config('web', 'templates', None,
+                                           untrusted=False)
         self.stripecount = self.ui.config('web', 'stripes', 1)
         if self.stripecount:
             self.stripecount = int(self.stripecount)