Make sure catalog TemplateDir directives are safe when NoAbsolute is set

interchange · Sep 8, 2009 · 239f9a3 · 239f9a3
1 parent 74803e2
commit 239f9a3
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/lib/Vend/Config.pm b/lib/Vend/Config.pm
@@ -3579,9 +3579,16 @@ sub set_default_search {
 		},
 		ProductFiles => \&set_default_search,
 		VendRoot => sub {
+			my $cat_template_dirs = $C->{TemplateDir} || [];
+			if ($Global::NoAbsolute) {
+				for (@$cat_template_dirs) {
+					absolute_or_relative($_) and
+						config_error("TemplateDir path %s is prohibited by NoAbsolute", $_);
+				}
+			}
 			my @paths = map { quotemeta $_ }
 							$C->{VendRoot},
-							@{$C->{TemplateDir} || []},
+							@$cat_template_dirs,
 							@{$Global::TemplateDir || []};
 			my $re = join "|", @paths;
 			$Global::AllowedFileRegex->{$C->{CatalogName}} = qr{^($re)};