Message5328
I was started this patch by adding check for '..' in template name.
But then i found that FileSystemLoader in Jinja2 engine already has
this check. I remove this check from my patch in hope that less
intrusive patch has more chance to be commited.
So, this patch turn subdir feature on only for Jinja2 engine which
will raise TempateNotFound in case of path containing '..'.
If subdirs feature will be expanded to other template engines there is
a need to add check for '..' to LoaderBase.check() function.
> Ralf Schlatterbeck added the comment:
> On Mon, Jun 22, 2015 at 02:01:27PM +0000, Anthony wrote:
>>
>> There is no possibility to use subdir for templates in template store.
>>
>> All templates have to be placed in flat template store. If you have many
>> templates this may be a problem.
>>
>> The attached patch allow to use subdir in template store. For example,
>> with this patch you can use "issue?@template=mobile/index" URL for
>> "mobile/issue.index.html" template.
> Have you considered this may have security implications if someone
> specifies, e.g.,
> issue?@template=../../../.....
> You should check with abspath that the target is below the template
> directory. (I haven't checked your code yet)
> Ralf |
|
Date |
User |
Action |
Args |
2015-06-23 08:42:17 | antmail | set | recipients:
+ antmail, schlatterbeck, joseph_myers |
2015-06-23 08:42:17 | antmail | link | issue2550891 messages |
2015-06-23 08:42:16 | antmail | create | |
|