Hi Chad,
On Sat, May 21, 2005 at 02:01:06PM -0500, Chad Walstrom wrote:
> tags 309648 pending patch sarge
> thanks
> Kenshi Muto <kmuto@debian.org> submitted a patch he pulled from
> cheetah's CVS upstream repository that fixes this security hole. This
> is an RC bug against sarge's version of the package, thus why I tagged
> it "sarge". I just uploaded the version to fix this in unstable, thus
> the pending tag.
> Please consider this for Sarge.
Has this code been tested?
Templates._importAsDummyModule now does:
def _importAsDummyModule(self, contents):
"""Used by the Compiler to do correct importing from Cheetah templates
when the template is compiled via the Template class' interface rather
than via 'cheetah compile'.
"""
tmpFileName = self._genTmpFilename()
name = tmpFilename.replace('.py','')
co = compile(contents+'\n', tmpFilename, 'exec')
mod = new.module(name)
#mod.__file__ = co.co_filename
#mod.__co__ = co
exec co in mod.__dict__
return mod
and Templates.compile calls Compiler, which does:
def __init__(self, source=None, file=None, moduleName='GenTemplate',
mainClassName=None,
mainMethodName='respond',
templateObj=None,
settings=None):
[...]
if source and file:
raise TypeError("Cannot compile from a source string AND file.")
Looks to me like this code can never work?
--
Steve Langasek
postmodern programmer
Attachment:
signature.asc
Description: Digital signature