[PATCH 23 of 23] hgwebdir: read 'web.template' untrusted
Boris Feld
boris.feld at octobus.net
Mon Sep 18 03:51:49 EDT 2017
On Sat, 2017-09-16 at 13:42 -0700, Gregory Szorc wrote:
> On Sat, Sep 16, 2017 at 11:28 AM, Boris Feld <boris.feld at octobus.net>
> wrote:
> > # HG changeset patch
> >
> > # User Boris Feld <boris.feld at octobus.net>
> >
> > # Date 1505494670 -7200
> >
> > # ven. sept. 15 18:57:50 2017 +0200
> >
> > # Node ID 57231a130210d31431b727a74d91165c7802d387
> >
> > # Parent 93a8e90493a27207b281f1bcf19bdf0ae6d115ca
> >
> > # EXP-Topic config.cleanup
> >
> > hgwebdir: read 'web.template' untrusted
> >
> >
> >
> > The 'hgweb_mod.py' version of this read it untrusted. For
> > consistency we align
> >
> > the two versions of this code.
>
> Hmm.
>
> This is related to 1a45e49a6bed and represents a potential security
> issue.
>
> Could you please send a patch against stable so we can get this in
> the 4.3.2 release?
Yes of course, sending it right now
>
> >
> > diff -r 93a8e90493a2 -r 57231a130210
> > mercurial/hgweb/hgwebdir_mod.py
> >
> > --- a/mercurial/hgweb/hgwebdir_mod.py ven. juin 30 03:45:53 2017
> > +0200
> >
> > +++ b/mercurial/hgweb/hgwebdir_mod.py ven. sept. 15 18:57:50 2017
> > +0200
> >
> > @@ -174,7 +174,7 @@
> >
> > self.ui = u
> >
> > encoding.encoding = self.ui.config('web', 'encoding')
> >
> > self.style = self.ui.config('web', 'style')
> >
> > - self.templatepath = self.ui.config('web', 'templates')
> >
> > + self.templatepath = self.ui.config('web', 'templates',
> > untrusted=False)
> >
> > self.stripecount = self.ui.config('web', 'stripes')
> >
> > if self.stripecount:
> >
> > self.stripecount = int(self.stripecount)
> >
> > _______________________________________________
> >
> > Mercurial-devel mailing list
> >
> > Mercurial-devel at mercurial-scm.org
> >
> > https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
> >
> >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial-devel/attachments/20170918/ccc0cae1/attachment.html>
More information about the Mercurial-devel
mailing list