Show More
@@ -84,6 +84,12 b' class requestcontext(object):' | |||||
84 | object.__setattr__(self, 'allowpull', |
|
84 | object.__setattr__(self, 'allowpull', | |
85 | self.configbool('web', 'allowpull', True)) |
|
85 | self.configbool('web', 'allowpull', True)) | |
86 |
|
86 | |||
|
87 | # we use untrusted=False to prevent a repo owner from using | |||
|
88 | # web.templates in .hg/hgrc to get access to any file readable | |||
|
89 | # by the user running the CGI script | |||
|
90 | object.__setattr__(self, 'templatepath', | |||
|
91 | self.config('web', 'templates', untrusted=False)) | |||
|
92 | ||||
87 | # Proxy unknown reads and writes to the application instance |
|
93 | # Proxy unknown reads and writes to the application instance | |
88 | # until everything is moved to us. |
|
94 | # until everything is moved to us. | |
89 | def __getattr__(self, name): |
|
95 | def __getattr__(self, name): | |
@@ -158,10 +164,6 b' class hgweb(object):' | |||||
158 | self.repostate = None |
|
164 | self.repostate = None | |
159 | self.mtime = -1 |
|
165 | self.mtime = -1 | |
160 | self.reponame = name |
|
166 | self.reponame = name | |
161 | # we use untrusted=False to prevent a repo owner from using |
|
|||
162 | # web.templates in .hg/hgrc to get access to any file readable |
|
|||
163 | # by the user running the CGI script |
|
|||
164 | self.templatepath = self.config('web', 'templates', untrusted=False) |
|
|||
165 | self.websubtable = webutil.getwebsubs(r) |
|
167 | self.websubtable = webutil.getwebsubs(r) | |
166 |
|
168 | |||
167 | # The CGI scripts are often run by a user different from the repo owner. |
|
169 | # The CGI scripts are often run by a user different from the repo owner. |
General Comments 0
You need to be logged in to leave comments.
Login now