hgweb: fix trust of templates path (BC) Long ago we disabled trust of the templates path with a comment describing the (insecure) behavior before the change. At some later refactor, the code was apparently changed back to match the comment, unaware that the intent of the comment was to describe the behavior to avoid. This change disables the trust and updates the comment to explicitly say not only what the old problem was, but also that it was in fact a problem and the action taken to prevent it. Impact: prior to this change, if you had a UNIX-based hgweb server where users can write hgrc files, those users could potentially read any file readable by the web server. This is marked as a backwards compatibility issue because people may have configured templates without proper trust settings. Issue spotted by Greg Szorc.

     1

Mercurial

     2

=========

     3

     4

Mercurial is a fast, easy to use, distributed revision control tool

     5

for software developers.

     6

     7

Basic install:

     8

     9

 $ make            # see install targets

    10

 $ make install    # do a system-wide install

    11

 $ hg debuginstall # sanity-check setup

    12

 $ hg              # see help

    13

    14

Running without installing:

    15

    16

 $ make local      # build for inplace usage

    17

 $ ./hg --version  # should show the latest version

    18

    19

See http://mercurial.selenic.com/ for detailed installation

    20

instructions, platform-specific notes, and Mercurial user information.