Message5326
Hello, Joseph.
As for path traversal.
I was started this patch by adding check for '..' in template name.
But then i found that FileSystemLoader in Jinja2 engine already has
this check. I remove this check from my patch in hope that less
intrusive patch has more chance to be commited.
So, this patch turn subdir feature on only for Jinja2 engine which
will raise TempateNotFound in case of path containing '..'.
If subdirs feature will be expanded to other template engines there is
a need to add check for '..' to LoaderBase.check() function.
> Joseph Myers added the comment:
> My impression was that you could use subdirectories if their names
> matched the existing scheme, but that doing so introduced a path
> traversal vulnerability (see issue 2550701). How does this patch relate
> to path traversal issues?
> ----------
> nosy: +joseph_myers
> ________________________________________________
> Roundup tracker <issues@roundup-tracker.org>
> <http://issues.roundup-tracker.org/issue2550891>
> ________________________________________________ |
|
Date |
User |
Action |
Args |
2015-06-22 14:42:50 | antmail | set | recipients:
+ antmail, joseph_myers |
2015-06-22 14:42:50 | antmail | link | issue2550891 messages |
2015-06-22 14:42:49 | antmail | create | |
|