From patchwork Mon Sep 18 08:04:29 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [STABLE] hgwebdir: read 'web.template' untrusted
From: Boris Feld <boris.feld@octobus.net>
X-Patchwork-Id: 23983
Message-Id: <19e507500cec6a3cf500.1505721869@FB>
To: mercurial-devel@mercurial-scm.org
Cc: boris.feld@octobus.net
Date: Mon, 18 Sep 2017 10:04:29 +0200

# HG changeset patch
# User Boris Feld <boris.feld@octobus.net>
# Date 1505494670 -7200
#      ven. sept. 15 18:57:50 2017 +0200
# Branch stable
# Node ID 19e507500cec6a3cf5008bbf9ce73d194cc7c250
# Parent  1908dc95863957aa1a8375c91bd02d1c7bb3d577
hgwebdir: read 'web.template' untrusted

The 'hgweb_mod.py' version of this read it untrusted. For consistency we align
the two versions of this code.

diff -r 1908dc958639 -r 19e507500cec mercurial/hgweb/hgwebdir_mod.py
--- a/mercurial/hgweb/hgwebdir_mod.py	lun. sept. 11 15:59:18 2017 -0700
+++ b/mercurial/hgweb/hgwebdir_mod.py	ven. sept. 15 18:57:50 2017 +0200
@@ -173,7 +173,8 @@
         encoding.encoding = self.ui.config('web', 'encoding',
                                            encoding.encoding)
         self.style = self.ui.config('web', 'style', 'paper')
-        self.templatepath = self.ui.config('web', 'templates', None)
+        self.templatepath = self.ui.config('web', 'templates', None,
+                                           untrusted=False)
         self.stripecount = self.ui.config('web', 'stripes', 1)
         if self.stripecount:
             self.stripecount = int(self.stripecount)