Mercurial > hg-stable

diff mercurial/templater.py @ 24296:b73a22d1d9bf stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
hgweb: prevent loading style map from directories other than specified paths A style name should not contain "/", "\", "." and "..". Otherwise, templates could be loaded from outside of the specified templates directory by invalid ?style= parameter. hgweb should not allow such requests. This change means subdir/name is also rejected.
author Yuya Nishihara <yuya@tcha.org>
date Fri, 13 Mar 2015 21:18:59 +0900
parents a3c2d9211294
children 15afda349b11
line wrap: on
line diff
--- a/mercurial/templater.py	Fri Mar 06 00:14:22 2015 +0900
+++ b/mercurial/templater.py	Fri Mar 13 21:18:59 2015 +0900
@@ -747,7 +747,11 @@
         styles = [styles]
 
     for style in styles:
-        if not style:
+        # only plain name is allowed to honor template paths
+        if (not style
+            or style in (os.curdir, os.pardir)
+            or os.sep in style
+            or os.altsep and os.altsep in style):
             continue
         locations = [os.path.join(style, 'map'), 'map-' + style]
         locations.append('map')