Roundup Tracker - Issues

Message5326

Author antmail
Recipients antmail, joseph_myers
Date 2015-06-22.14:42:49
Message-id <383361450.20150622174238@inbox.ru>
In-reply-to <1434983184.4.0.0822857128119.issue2550891@psf.upfronthosting.co.za> 
Hello, Joseph.

As for path traversal.

I  was  started  this patch by adding check for '..' in template name.
But  then  i  found that FileSystemLoader in Jinja2 engine already has
this  check.  I  remove this check from my patch in hope that less
intrusive patch has more chance to be commited.

So,  this  patch  turn  subdir feature on only for Jinja2 engine which
will raise TempateNotFound in case of path containing '..'.

If subdirs feature will be expanded to other template engines there is
a need to add check for '..' to LoaderBase.check() function.

> Joseph Myers added the comment:

> My impression was that you could use subdirectories if their names
> matched the existing scheme, but that doing so introduced a path
> traversal vulnerability (see issue 2550701).  How does this patch relate
> to path traversal issues?

> ----------
> nosy: +joseph_myers

> ________________________________________________
> Roundup tracker <issues@roundup-tracker.org>
> <http://issues.roundup-tracker.org/issue2550891>
> ________________________________________________
History
Date User Action Args
2015-06-22 14:42:50antmailsetrecipients: + antmail, joseph_myers
2015-06-22 14:42:50antmaillinkissue2550891 messages
2015-06-22 14:42:49antmailcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020