[PATCH 23 of 23] hgwebdir: read 'web.template' untrusted
Gregory Szorc
gregory.szorc at gmail.com
Sat Sep 16 20:42:02 UTC 2017
On Sat, Sep 16, 2017 at 11:28 AM, Boris Feld <boris.feld at octobus.net> wrote:
> # HG changeset patch
> # User Boris Feld <boris.feld at octobus.net>
> # Date 1505494670 -7200
> # ven. sept. 15 18:57:50 2017 +0200
> # Node ID 57231a130210d31431b727a74d91165c7802d387
> # Parent 93a8e90493a27207b281f1bcf19bdf0ae6d115ca
> # EXP-Topic config.cleanup
> hgwebdir: read 'web.template' untrusted
>
> The 'hgweb_mod.py' version of this read it untrusted. For consistency we
> align
> the two versions of this code.
>
Hmm.
This is related to 1a45e49a6bed and represents a potential security issue.
Could you please send a patch against stable so we can get this in the
4.3.2 release?
>
> diff -r 93a8e90493a2 -r 57231a130210 mercurial/hgweb/hgwebdir_mod.py
> --- a/mercurial/hgweb/hgwebdir_mod.py ven. juin 30 03:45:53 2017 +0200
> +++ b/mercurial/hgweb/hgwebdir_mod.py ven. sept. 15 18:57:50 2017 +0200
> @@ -174,7 +174,7 @@
> self.ui = u
> encoding.encoding = self.ui.config('web', 'encoding')
> self.style = self.ui.config('web', 'style')
> - self.templatepath = self.ui.config('web', 'templates')
> + self.templatepath = self.ui.config('web', 'templates',
> untrusted=False)
> self.stripecount = self.ui.config('web', 'stripes')
> if self.stripecount:
> self.stripecount = int(self.stripecount)
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel at mercurial-scm.org
> https://www.mercurial-scm.org/mailman/listinfo/mercurial-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mercurial-scm.org/pipermail/mercurial-devel/attachments/20170916/c3335b0c/attachment-0002.html>
More information about the Mercurial-devel
mailing list