diff -r 65d2538ac993 -r 1a45e49a6bed mercurial/hgweb/hgweb_mod.py
--- a/mercurial/hgweb/hgweb_mod.py	Tue Sep 01 11:39:08 2015 -0400
+++ b/mercurial/hgweb/hgweb_mod.py	Tue Sep 01 16:08:07 2015 -0500
@@ -89,9 +89,10 @@
         self.reponame = name
         self.archives = 'zip', 'gz', 'bz2'
         self.stripecount = 1
-        # a repo owner may set web.templates in .hg/hgrc to get any file
-        # readable by the user running the CGI script
-        self.templatepath = self.config('web', 'templates')
+        # we use untrusted=False to prevent a repo owner from using
+        # web.templates in .hg/hgrc to get access to any file readable
+        # by the user running the CGI script
+        self.templatepath = self.config('web', 'templates', untrusted=False)
         self.websubtable = self.loadwebsub()
 
     # The CGI scripts are often run by a user different from the repo owner.