--- a/mercurial/templater.py	Thu Mar 12 22:59:52 2015 -0400
+++ b/mercurial/templater.py	Fri Mar 13 17:55:04 2015 -0500
@@ -749,7 +749,11 @@
         styles = [styles]
 
     for style in styles:
-        if not style:
+        # only plain name is allowed to honor template paths
+        if (not style
+            or style in (os.curdir, os.pardir)
+            or os.sep in style
+            or os.altsep and os.altsep in style):
             continue
         locations = [os.path.join(style, 'map'), 'map-' + style]
         locations.append('map')

--- a/tests/test-hgweb.t	Thu Mar 12 22:59:52 2015 -0400
+++ b/tests/test-hgweb.t	Fri Mar 13 17:55:04 2015 -0500
@@ -580,6 +580,45 @@
   
   
 
+no style can be loaded from directories other than the specified paths
+
+  $ mkdir -p x/templates/fallback
+  $ cat <<EOF > x/templates/fallback/map
+  > default = 'shortlog'
+  > shortlog = 'fall back to default\n'
+  > mimetype = 'text/plain'
+  > EOF
+  $ cat <<EOF > x/map
+  > default = 'shortlog'
+  > shortlog = 'access to outside of templates directory\n'
+  > mimetype = 'text/plain'
+  > EOF
+
+  $ "$TESTDIR/killdaemons.py" $DAEMON_PIDS
+  $ hg serve -p $HGPORT -d --pid-file=hg.pid -A access.log -E errors.log \
+  > --config web.style=fallback --config web.templates=x/templates
+  $ cat hg.pid >> $DAEMON_PIDS
+
+  $ "$TESTDIR/get-with-headers.py" localhost:$HGPORT "?style=`pwd`/x"
+  200 Script output follows
+  
+  fall back to default
+
+  $ "$TESTDIR/get-with-headers.py" localhost:$HGPORT '?style=..'
+  200 Script output follows
+  
+  fall back to default
+
+  $ "$TESTDIR/get-with-headers.py" localhost:$HGPORT '?style=./..'
+  200 Script output follows
+  
+  fall back to default
+
+  $ "$TESTDIR/get-with-headers.py" localhost:$HGPORT '?style=.../.../'
+  200 Script output follows
+  
+  fall back to default
+
 errors
 
   $ cat errors.log