Show More
@@ -84,6 +84,12 class requestcontext(object): | |||
|
84 | 84 | object.__setattr__(self, 'allowpull', |
|
85 | 85 | self.configbool('web', 'allowpull', True)) |
|
86 | 86 | |
|
87 | # we use untrusted=False to prevent a repo owner from using | |
|
88 | # web.templates in .hg/hgrc to get access to any file readable | |
|
89 | # by the user running the CGI script | |
|
90 | object.__setattr__(self, 'templatepath', | |
|
91 | self.config('web', 'templates', untrusted=False)) | |
|
92 | ||
|
87 | 93 | # Proxy unknown reads and writes to the application instance |
|
88 | 94 | # until everything is moved to us. |
|
89 | 95 | def __getattr__(self, name): |
@@ -158,10 +164,6 class hgweb(object): | |||
|
158 | 164 | self.repostate = None |
|
159 | 165 | self.mtime = -1 |
|
160 | 166 | self.reponame = name |
|
161 | # we use untrusted=False to prevent a repo owner from using | |
|
162 | # web.templates in .hg/hgrc to get access to any file readable | |
|
163 | # by the user running the CGI script | |
|
164 | self.templatepath = self.config('web', 'templates', untrusted=False) | |
|
165 | 167 | self.websubtable = webutil.getwebsubs(r) |
|
166 | 168 | |
|
167 | 169 | # The CGI scripts are often run by a user different from the repo owner. |
General Comments 0
You need to be logged in to leave comments.
Login now