issue2550701, issue2550891 deal with path traversal issue in TAL based template finding code. Use standard method.

Author: rouilj

CHANGES.txt

@@ -286,6 +286,12 @@ Fixed:
   Had to explicitly manage transactions with BEGIN IMMEDIATE and call
   sql_commit. Note that this reduces performance in return for accuracy.
   Problem reported by Matt Mackall (mpm) (John Rouillard).
+- issue2550701: Path traversal from template names. This affects the
+  tal based template engines (zopetal, chameleon). If a directory
+  with a specific name is created in the html subdirectory, the
+  template name in the url can be used to get access to files outside
+  of the tracker html directory. This has been fixed by normalizing
+  the path and comparing to the normalized path for the html directory.
 
 2016-01-11: 1.5.1
 

roundup/cgi/templating.py

@@ -20,7 +20,7 @@
 __docformat__ = 'restructuredtext'
 
 
-import cgi, urllib, re, os.path, mimetypes, csv
+import cgi, urllib, re, os.path, mimetypes, csv, string
 import calendar
 import textwrap
 
@@ -116,9 +116,14 @@ def __init__(self, dir):
     def _find(self, name):
         """ Find template, return full path and filename of the
             template if it is found, None otherwise."""
+        realsrc = os.path.realpath(self.dir)
         for extension in ['', '.html', '.xml']:
             f = name + extension
-            src = os.path.join(self.dir, f)
+            src = os.path.join(realsrc, f)
+            realpath = os.path.realpath(src)
+            print f, src, realpath, realsrc
+            if string.find(realpath, realsrc) != 0:
+                return # will raise invalid template
             if os.path.exists(src):
                 return (src, f)