[PATCH 5 of 5 hgweb-thread-isolation] hgweb: move templatepath to requestcontext

[Gregory Szorc]

# HG changeset patch
# User Gregory Szorc <gregory.szorc at gmail.com>
# Date 1440286102 25200
#      Sat Aug 22 16:28:22 2015 -0700
# Node ID 011172bffdc70751d1feff4e1e1a2dbf7f166233
# Parent  bd603c0e0eb9d852a1d5fa7cf0798dfae942734e
hgweb: move templatepath to requestcontext

This does change behavior in that the templatepath could change during
the lifetime of the server. But everything else can change, I don't see
why template paths can't.

diff --git a/mercurial/hgweb/hgweb_mod.py b/mercurial/hgweb/hgweb_mod.py
--- a/mercurial/hgweb/hgweb_mod.py
+++ b/mercurial/hgweb/hgweb_mod.py
@@ -83,8 +83,15 @@ class requestcontext(object):
                            self.configint('web', 'maxfiles', 10))
         object.__setattr__(self, 'allowpull',
                            self.configbool('web', 'allowpull', True))
 
+        # Don't allow untrusted config options because a repo owner may set
+        # the value in .hg/hgrc and gain access to files they normally
+        # can't see because the server can be running as a different
+        # user than the repo owner.
+        object.__setattr__(self, 'templatepath',
+                           self.config('web', 'templates', untrusted=False))
+
     # Proxy unknown reads and writes to the application instance
     # until everything is moved to us.
     def __getattr__(self, name):
         return getattr(self.app, name)
@@ -157,11 +164,8 @@ class hgweb(object):
         hook.redirect(True)
         self.repostate = None
         self.mtime = -1
         self.reponame = name
-        # a repo owner may set web.templates in .hg/hgrc to get any file
-        # readable by the user running the CGI script
-        self.templatepath = self.config('web', 'templates')
         self.websubtable = webutil.getwebsubs(r)
 
     # The CGI scripts are often run by a user different from the repo owner.
     # Trust the settings from the .hg/hgrc files by default.