Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use posixpath.join when loading template names #1621

Merged
merged 1 commit into from Mar 15, 2022
Merged

Conversation

davidism
Copy link
Member

@davidism davidism commented Mar 15, 2022

Similar to an issue with Werkzeug and Flask's send_file and safe_join, FileSystemLoader and PackageLoader should use posixpath.join instead of os.path.join, so that on Windows "drive:" and UNC segments cannot break out of the search directory.

@davidism davidism added this to the 3.1.0 milestone Mar 15, 2022
@davidism davidism merged commit ede0f98 into main Mar 15, 2022
11 checks passed
@davidism davidism deleted the template-safe-path branch Mar 15, 2022
felixxm added a commit to felixxm/django that referenced this pull request Mar 25, 2022
felixxm added a commit to django/django that referenced this pull request Mar 25, 2022
felixxm added a commit to django/django that referenced this pull request Mar 25, 2022
felixxm added a commit to django/django that referenced this pull request Mar 25, 2022
felixxm added a commit to django/django that referenced this pull request Mar 25, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 31, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant