Mercurial > hg
diff mercurial/hgweb/hgweb_mod.py @ 26138:f77a3f27cea5
merge with stable
| author | Matt Mackall <mpm@selenic.com> |
|---|---|
| date | Tue, 01 Sep 2015 17:09:00 -0500 |
| parents | 6defc74f3066 1a45e49a6bed |
| children | fd9b1262f0e4 |
line wrap: on
line diff
--- a/mercurial/hgweb/hgweb_mod.py Mon Aug 31 22:44:20 2015 -0400 +++ b/mercurial/hgweb/hgweb_mod.py Tue Sep 01 17:09:00 2015 -0500 @@ -159,9 +159,10 @@ self.repostate = ((-1, -1), (-1, -1)) self.mtime = -1 self.reponame = name - # a repo owner may set web.templates in .hg/hgrc to get any file - # readable by the user running the CGI script - self.templatepath = self.config('web', 'templates') + # we use untrusted=False to prevent a repo owner from using + # web.templates in .hg/hgrc to get access to any file readable + # by the user running the CGI script + self.templatepath = self.config('web', 'templates', untrusted=False) self.websubtable = self.loadwebsub() # The CGI scripts are often run by a user different from the repo owner.