Mercurial > hg-stable
comparison mercurial/templater.py @ 24296:b73a22d1d9bf stable
hgweb: prevent loading style map from directories other than specified paths
A style name should not contain "/", "\", "." and "..". Otherwise, templates
could be loaded from outside of the specified templates directory by invalid
?style= parameter. hgweb should not allow such requests.
This change means subdir/name is also rejected.
| author | Yuya Nishihara <yuya@tcha.org> |
|---|---|
| date | Fri, 13 Mar 2015 21:18:59 +0900 |
| parents | a3c2d9211294 |
| children | 15afda349b11 |
comparison
equal
deleted
inserted
replaced
| 24198:3cc630be5f09 | 24296:b73a22d1d9bf |
|---|---|
| 745 | 745 |
| 746 if isinstance(styles, str): | 746 if isinstance(styles, str): |
| 747 styles = [styles] | 747 styles = [styles] |
| 748 | 748 |
| 749 for style in styles: | 749 for style in styles: |
| 750 if not style: | 750 # only plain name is allowed to honor template paths |
| 751 if (not style | |
| 752 or style in (os.curdir, os.pardir) | |
| 753 or os.sep in style | |
| 754 or os.altsep and os.altsep in style): | |
| 751 continue | 755 continue |
| 752 locations = [os.path.join(style, 'map'), 'map-' + style] | 756 locations = [os.path.join(style, 'map'), 'map-' + style] |
| 753 locations.append('map') | 757 locations.append('map') |
| 754 | 758 |
| 755 for path in paths: | 759 for path in paths: |