On Sat, Sep 16, 2017 at 11:28 AM, Boris Feld <boris.f...@octobus.net> wrote:
> # HG changeset patch > # User Boris Feld <boris.f...@octobus.net> > # Date 1505494670 -7200 > # ven. sept. 15 18:57:50 2017 +0200 > # Node ID 57231a130210d31431b727a74d91165c7802d387 > # Parent 93a8e90493a27207b281f1bcf19bdf0ae6d115ca > # EXP-Topic config.cleanup > hgwebdir: read 'web.template' untrusted > > The 'hgweb_mod.py' version of this read it untrusted. For consistency we > align > the two versions of this code. > Hmm. This is related to 1a45e49a6bed and represents a potential security issue. Could you please send a patch against stable so we can get this in the 4.3.2 release? > > diff -r 93a8e90493a2 -r 57231a130210 mercurial/hgweb/hgwebdir_mod.py > --- a/mercurial/hgweb/hgwebdir_mod.py ven. juin 30 03:45:53 2017 +0200 > +++ b/mercurial/hgweb/hgwebdir_mod.py ven. sept. 15 18:57:50 2017 +0200 > @@ -174,7 +174,7 @@ > self.ui = u > encoding.encoding = self.ui.config('web', 'encoding') > self.style = self.ui.config('web', 'style') > - self.templatepath = self.ui.config('web', 'templates') > + self.templatepath = self.ui.config('web', 'templates', > untrusted=False) > self.stripecount = self.ui.config('web', 'stripes') > if self.stripecount: > self.stripecount = int(self.stripecount) > _______________________________________________ > Mercurial-devel mailing list > Mercurial-devel@mercurial-scm.org > https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel >
_______________________________________________ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel