From 239f9a3b19506dd2da369c3c8c047acf0f3b2d7f Mon Sep 17 00:00:00 2001
From: Jon Jensen <jon@endpoint.com>
Date: Mon, 7 Sep 2009 23:03:18 -0600
Subject: [PATCH] Make sure catalog TemplateDir directives are safe when
 NoAbsolute is set

---
 lib/Vend/Config.pm | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/Vend/Config.pm b/lib/Vend/Config.pm
index 1d8862741..75c188e5c 100644
--- a/lib/Vend/Config.pm
+++ b/lib/Vend/Config.pm
@@ -3579,9 +3579,16 @@ sub set_default_search {
 		},
 		ProductFiles => \&set_default_search,
 		VendRoot => sub {
+			my $cat_template_dirs = $C->{TemplateDir} || [];
+			if ($Global::NoAbsolute) {
+				for (@$cat_template_dirs) {
+					absolute_or_relative($_) and
+						config_error("TemplateDir path %s is prohibited by NoAbsolute", $_);
+				}
+			}
 			my @paths = map { quotemeta $_ }
 							$C->{VendRoot},
-							@{$C->{TemplateDir} || []},
+							@$cat_template_dirs,
 							@{$Global::TemplateDir || []};
 			my $re = join "|", @paths;
 			$Global::AllowedFileRegex->{$C->{CatalogName}} = qr{^($re)};