mirror of
https://github.com/django/django.git
synced 2025-06-05 11:39:13 +00:00
Encapsulated ALLOWED_INCLUDE_ROOTS in Engine.
This commit is contained in:
parent
246cfdeae3
commit
98ac69af53
@ -375,9 +375,9 @@ class RegroupNode(Node):
|
|||||||
return ''
|
return ''
|
||||||
|
|
||||||
|
|
||||||
def include_is_allowed(filepath):
|
def include_is_allowed(filepath, allowed_include_roots):
|
||||||
filepath = os.path.abspath(filepath)
|
filepath = os.path.abspath(filepath)
|
||||||
for root in settings.ALLOWED_INCLUDE_ROOTS:
|
for root in allowed_include_roots:
|
||||||
if filepath.startswith(root):
|
if filepath.startswith(root):
|
||||||
return True
|
return True
|
||||||
return False
|
return False
|
||||||
@ -391,7 +391,7 @@ class SsiNode(Node):
|
|||||||
def render(self, context):
|
def render(self, context):
|
||||||
filepath = self.filepath.resolve(context)
|
filepath = self.filepath.resolve(context)
|
||||||
|
|
||||||
if not include_is_allowed(filepath):
|
if not include_is_allowed(filepath, context.engine.allowed_include_roots):
|
||||||
if settings.DEBUG:
|
if settings.DEBUG:
|
||||||
return "[Didn't have permission to include file]"
|
return "[Didn't have permission to include file]"
|
||||||
else:
|
else:
|
||||||
|
Loading…
x
Reference in New Issue
Block a user