# HG changeset patch # User Matt Mackall # Date 1441141687 18000 # Node ID 1a45e49a6bed023deb229102a8903234d18054d3 # Parent 65d2538ac993176ba0e10e62143b44ad7213c2ca hgweb: fix trust of templates path (BC) Long ago we disabled trust of the templates path with a comment describing the (insecure) behavior before the change. At some later refactor, the code was apparently changed back to match the comment, unaware that the intent of the comment was to describe the behavior to avoid. This change disables the trust and updates the comment to explicitly say not only what the old problem was, but also that it was in fact a problem and the action taken to prevent it. Impact: prior to this change, if you had a UNIX-based hgweb server where users can write hgrc files, those users could potentially read any file readable by the web server. This is marked as a backwards compatibility issue because people may have configured templates without proper trust settings. Issue spotted by Greg Szorc. diff -r 65d2538ac993 -r 1a45e49a6bed mercurial/hgweb/hgweb_mod.py --- a/mercurial/hgweb/hgweb_mod.py Tue Sep 01 11:39:08 2015 -0400 +++ b/mercurial/hgweb/hgweb_mod.py Tue Sep 01 16:08:07 2015 -0500 @@ -89,9 +89,10 @@ self.reponame = name self.archives = 'zip', 'gz', 'bz2' self.stripecount = 1 - # a repo owner may set web.templates in .hg/hgrc to get any file - # readable by the user running the CGI script - self.templatepath = self.config('web', 'templates') + # we use untrusted=False to prevent a repo owner from using + # web.templates in .hg/hgrc to get access to any file readable + # by the user running the CGI script + self.templatepath = self.config('web', 'templates', untrusted=False) self.websubtable = self.loadwebsub() # The CGI scripts are often run by a user different from the repo owner.