Mercurial Mercurial > public > mercurial-scm > hg / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mercurial/hgweb/hgweb_mod.py
changeset 26138 f77a3f27cea5
parent 26136 6defc74f3066
parent 26120 1a45e49a6bed
child 26149 fd9b1262f0e4 
--- a/mercurial/hgweb/hgweb_mod.py	Mon Aug 31 22:44:20 2015 -0400
+++ b/mercurial/hgweb/hgweb_mod.py	Tue Sep 01 17:09:00 2015 -0500
@@ -159,9 +159,10 @@
         self.repostate = ((-1, -1), (-1, -1))
         self.mtime = -1
         self.reponame = name
-        # a repo owner may set web.templates in .hg/hgrc to get any file
-        # readable by the user running the CGI script
-        self.templatepath = self.config('web', 'templates')
+        # we use untrusted=False to prevent a repo owner from using
+        # web.templates in .hg/hgrc to get access to any file readable
+        # by the user running the CGI script
+        self.templatepath = self.config('web', 'templates', untrusted=False)
         self.websubtable = self.loadwebsub()
 
     # The CGI scripts are often run by a user different from the repo owner.
mercurial-scm/hg