upstream/mercurial-mirror Commit - r26120:1a45e49a

hgweb: fix trust of templates path (BC)...

Matt Mackall -

r26120:1a45e49a 3.5.1 stable

parent child

mercurial/hgweb/hgweb_mod.py

0 +4 -3

                     self.reponame = name
                     self.archives = 'zip', 'gz', 'bz2'
                     self.stripecount = 1
-                    # a repo owner may set web.templates in .hg/hgrc to get any file
+                    # we use untrusted=False to prevent a repo owner from using
-                    # readable by the user running the CGI script
+                    # web.templates in .hg/hgrc to get access to any file readable
-                    self.templatepath = self.config('web', 'templates')
+                    # by the user running the CGI script
+                    self.templatepath = self.config('web', 'templates', untrusted=False)
                     self.websubtable = self.loadwebsub()
                 # The CGI scripts are often run by a user different from the repo owner.

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages