diff options
| author | Mike Bayer <mike_mp@zzzcomputing.com> | 2011-09-27 20:22:49 -0400 |
|---|---|---|
| committer | Mike Bayer <mike_mp@zzzcomputing.com> | 2011-09-27 20:22:49 -0400 |
| commit | 5cd508ffe0d7eaadd6516fc35137c93d1d6577a9 (patch) | |
| tree | eefada05297a664e66c3be6bc87f77b5ca91da9d /mako/template.py | |
| parent | 0e42388ff8825bd7ea356d4b963a4b33ce9d6e22 (diff) | |
| download | external_python_mako-5cd508ffe0d7eaadd6516fc35137c93d1d6577a9.tar.gz external_python_mako-5cd508ffe0d7eaadd6516fc35137c93d1d6577a9.tar.bz2 external_python_mako-5cd508ffe0d7eaadd6516fc35137c93d1d6577a9.zip | |
- A Template is explicitly disallowedrel_0_5_0
from having a url that normalizes to relative outside
of the root. That is, if the Lookup is based
at /home/mytemplates, an include that would place
the ultimate template at
/home/mytemplates/../some_other_directory,
i.e. outside of /home/mytemplates,
is disallowed. This usage was never intended
despite the lack of an explicit check.
The main issue this causes
is that module files can be written outside
of the module root (or raise an error, if file perms aren't
set up), and can also lead to the same template being
cached in the lookup under multiple, relative roots.
TemplateLookup instead has always supported multiple
file roots for this purpose.
[ticket:174]
Diffstat (limited to 'mako/template.py')
| -rw-r--r-- | mako/template.py | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/mako/template.py b/mako/template.py index 903dc42..3d02c55 100644 --- a/mako/template.py +++ b/mako/template.py @@ -163,7 +163,17 @@ class Template(object): else: self.module_id = "memory:" + hex(id(self)) self.uri = self.module_id - + + u_norm = self.uri + if u_norm.startswith("/"): + u_norm = u_norm[1:] + u_norm = os.path.normpath(u_norm) + if u_norm.startswith(".."): + raise exceptions.TemplateLookupException( + "Template uri \"%s\" is invalid - " + "it cannot be relative outside " + "of the root path." % self.uri) + self.input_encoding = input_encoding self.output_encoding = output_encoding self.encoding_errors = encoding_errors @@ -203,18 +213,14 @@ class Template(object): if module_filename is not None: path = module_filename elif module_directory is not None: - u = self.uri - if u[0] == '/': - u = u[1:] path = os.path.abspath( os.path.join( os.path.normpath(module_directory), - os.path.normpath(u) + ".py" + u_norm + ".py" ) ) else: path = None - module = self._compile_from_file(path, filename) else: raise exceptions.RuntimeException( |