As  i  mention  this  patch  looks ugly. It transform path (filename) string  back to (classname,
template_value) pair and then again to path string.

This is  because of decision made sometime ago:
"Template selection code is moved from Loader classes into cgi.client
 limiting the responsibility of Loaders to compilation and rendering.
 Internally, templating.find_template is replaced with
 client.selectTemplate."

 Logic  of  converting  (classname, template_value) to file(path) name
 was   moved  from  template  engine   to  client.selectTemplate
 function.

If  this  feature  is  accepted  then  we  need  to move the logic  back from
client.selectTemplate to template engine.

I'll  modify  class  templating.LoaderBase by
- adding    a    function   for   default   conversion    (as  client.selectTemplate);
- adding path traversal check in existing templating.LoaderBase.check function.

> John Rouillard added the comment:

> I think any patch that goes in should work for any templating engine.
> So a check for directory traversal needs to happen in this patch.

> I would claim that the function reformTplName should do all the
> security checks. This way we are protected even if we add another
> templating engine someday.

> I think that is preferable to adding a check for ../ to the
> tal templating code.

> ----------
> nosy: +rouilj

> ________________________________________________
> Roundup tracker <issues@roundup-tracker.org>
> <http://issues.roundup-tracker.org/issue2550891>
> ________________________________________________