# HG changeset patch # User Yuya Nishihara # Date 1426249139 -32400 # Node ID b73a22d1d9bfe3a7f8633340ea75a0ab1526c21b # Parent 3cc630be5f09ab586e1ca3f015456fe5611e6333 hgweb: prevent loading style map from directories other than specified paths A style name should not contain "/", "\", "." and "..". Otherwise, templates could be loaded from outside of the specified templates directory by invalid ?style= parameter. hgweb should not allow such requests. This change means subdir/name is also rejected. diff -r 3cc630be5f09 -r b73a22d1d9bf mercurial/templater.py --- a/mercurial/templater.py Fri Mar 06 00:14:22 2015 +0900 +++ b/mercurial/templater.py Fri Mar 13 21:18:59 2015 +0900 @@ -747,7 +747,11 @@ styles = [styles] for style in styles: - if not style: + # only plain name is allowed to honor template paths + if (not style + or style in (os.curdir, os.pardir) + or os.sep in style + or os.altsep and os.altsep in style): continue locations = [os.path.join(style, 'map'), 'map-' + style] locations.append('map') diff -r 3cc630be5f09 -r b73a22d1d9bf tests/test-hgweb.t --- a/tests/test-hgweb.t Fri Mar 06 00:14:22 2015 +0900 +++ b/tests/test-hgweb.t Fri Mar 13 21:18:59 2015 +0900 @@ -578,6 +578,45 @@ +no style can be loaded from directories other than the specified paths + + $ mkdir -p x/templates/fallback + $ cat < x/templates/fallback/map + > default = 'shortlog' + > shortlog = 'fall back to default\n' + > mimetype = 'text/plain' + > EOF + $ cat < x/map + > default = 'shortlog' + > shortlog = 'access to outside of templates directory\n' + > mimetype = 'text/plain' + > EOF + + $ "$TESTDIR/killdaemons.py" $DAEMON_PIDS + $ hg serve -p $HGPORT -d --pid-file=hg.pid -A access.log -E errors.log \ + > --config web.style=fallback --config web.templates=x/templates + $ cat hg.pid >> $DAEMON_PIDS + + $ "$TESTDIR/get-with-headers.py" localhost:$HGPORT "?style=`pwd`/x" + 200 Script output follows + + fall back to default + + $ "$TESTDIR/get-with-headers.py" localhost:$HGPORT '?style=..' + 200 Script output follows + + fall back to default + + $ "$TESTDIR/get-with-headers.py" localhost:$HGPORT '?style=./..' + 200 Script output follows + + fall back to default + + $ "$TESTDIR/get-with-headers.py" localhost:$HGPORT '?style=.../.../' + 200 Script output follows + + fall back to default + errors $ cat errors.log