Hi Chad, On Sat, May 21, 2005 at 02:01:06PM -0500, Chad Walstrom wrote: > tags 309648 pending patch sarge > thanks > Kenshi Muto <kmuto@debian.org> submitted a patch he pulled from > cheetah's CVS upstream repository that fixes this security hole. This > is an RC bug against sarge's version of the package, thus why I tagged > it "sarge". I just uploaded the version to fix this in unstable, thus > the pending tag. > Please consider this for Sarge. Has this code been tested? Templates._importAsDummyModule now does: def _importAsDummyModule(self, contents): """Used by the Compiler to do correct importing from Cheetah templates when the template is compiled via the Template class' interface rather than via 'cheetah compile'. """ tmpFileName = self._genTmpFilename() name = tmpFilename.replace('.py','') co = compile(contents+'\n', tmpFilename, 'exec') mod = new.module(name) #mod.__file__ = co.co_filename #mod.__co__ = co exec co in mod.__dict__ return mod and Templates.compile calls Compiler, which does: def __init__(self, source=None, file=None, moduleName='GenTemplate', mainClassName=None, mainMethodName='respond', templateObj=None, settings=None): [...] if source and file: raise TypeError("Cannot compile from a source string AND file.") Looks to me like this code can never work? -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature