Message5336
As i mention this patch looks ugly. It transform path (filename) string back to (classname,
template_value) pair and then again to path string.
This is because of decision made sometime ago:
"Template selection code is moved from Loader classes into cgi.client
limiting the responsibility of Loaders to compilation and rendering.
Internally, templating.find_template is replaced with
client.selectTemplate."
Logic of converting (classname, template_value) to file(path) name
was moved from template engine to client.selectTemplate
function.
If this feature is accepted then we need to move the logic back from
client.selectTemplate to template engine.
I'll modify class templating.LoaderBase by
- adding a function for default conversion (as client.selectTemplate);
- adding path traversal check in existing templating.LoaderBase.check function.
> John Rouillard added the comment:
> I think any patch that goes in should work for any templating engine.
> So a check for directory traversal needs to happen in this patch.
> I would claim that the function reformTplName should do all the
> security checks. This way we are protected even if we add another
> templating engine someday.
> I think that is preferable to adding a check for ../ to the
> tal templating code.
> ----------
> nosy: +rouilj
> ________________________________________________
> Roundup tracker <issues@roundup-tracker.org>
> <http://issues.roundup-tracker.org/issue2550891>
> ________________________________________________ |
|
Date |
User |
Action |
Args |
2015-06-29 09:54:31 | antmail | set | recipients:
+ antmail, schlatterbeck, rouilj, joseph_myers |
2015-06-29 09:54:31 | antmail | link | issue2550891 messages |
2015-06-29 09:54:30 | antmail | create | |
|