On Sat, 2017-09-16 at 13:42 -0700, Gregory Szorc wrote: > On Sat, Sep 16, 2017 at 11:28 AM, Boris Feld <boris.f...@octobus.net> > wrote: > > # HG changeset patch > > > > # User Boris Feld <boris.f...@octobus.net> > > > > # Date 1505494670 -7200 > > > > # ven. sept. 15 18:57:50 2017 +0200 > > > > # Node ID 57231a130210d31431b727a74d91165c7802d387 > > > > # Parent 93a8e90493a27207b281f1bcf19bdf0ae6d115ca > > > > # EXP-Topic config.cleanup > > > > hgwebdir: read 'web.template' untrusted > > > > > > > > The 'hgweb_mod.py' version of this read it untrusted. For > > consistency we align > > > > the two versions of this code. > > Hmm. > > This is related to 1a45e49a6bed and represents a potential security > issue. > > Could you please send a patch against stable so we can get this in > the 4.3.2 release?
Yes of course, sending it right now > > > > > diff -r 93a8e90493a2 -r 57231a130210 > > mercurial/hgweb/hgwebdir_mod.py > > > > --- a/mercurial/hgweb/hgwebdir_mod.py ven. juin 30 03:45:53 2017 > > +0200 > > > > +++ b/mercurial/hgweb/hgwebdir_mod.py ven. sept. 15 18:57:50 2017 > > +0200 > > > > @@ -174,7 +174,7 @@ > > > > self.ui = u > > > > encoding.encoding = self.ui.config('web', 'encoding') > > > > self.style = self.ui.config('web', 'style') > > > > - self.templatepath = self.ui.config('web', 'templates') > > > > + self.templatepath = self.ui.config('web', 'templates', > > untrusted=False) > > > > self.stripecount = self.ui.config('web', 'stripes') > > > > if self.stripecount: > > > > self.stripecount = int(self.stripecount) > > > > _______________________________________________ > > > > Mercurial-devel mailing list > > > > Mercurial-devel@mercurial-scm.org > > > > https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel > > > >
_______________________________________________ Mercurial-devel mailing list Mercurial-devel@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel