Skip to content

Commit

Permalink
Merge pull request #1621 from pallets/template-safe-path
Browse files Browse the repository at this point in the history
use `posixpath.join` when loading template names
  • Loading branch information
davidism authored Mar 15, 2022
2 parents a292075 + 040088a commit ede0f98
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 6 deletions.
3 changes: 3 additions & 0 deletions CHANGES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,9 @@ Unreleased
- The ``groupby`` filter is case-insensitive by default, matching
other comparison filters. Added the ``case_sensitive`` parameter to
control this. :issue:`1463`
- Windows drive-relative path segments in template names will not
result in ``FileSystemLoader`` and ``PackageLoader`` loading from
drive-relative paths. :pr:`1621`


Version 3.0.3
Expand Down
11 changes: 8 additions & 3 deletions src/jinja2/loaders.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"""
import importlib.util
import os
import posixpath
import sys
import typing as t
import weakref
Expand Down Expand Up @@ -193,7 +194,9 @@ def get_source(
) -> t.Tuple[str, str, t.Callable[[], bool]]:
pieces = split_template_path(template)
for searchpath in self.searchpath:
filename = os.path.join(searchpath, *pieces)
# Use posixpath even on Windows to avoid "drive:" or UNC
# segments breaking out of the search directory.
filename = posixpath.join(searchpath, *pieces)
f = open_if_exists(filename)
if f is None:
continue
Expand Down Expand Up @@ -296,7 +299,7 @@ def __init__(
if isinstance(loader, zipimport.zipimporter):
self._archive = loader.archive
pkgdir = next(iter(spec.submodule_search_locations)) # type: ignore
template_root = os.path.join(pkgdir, package_path)
template_root = os.path.join(pkgdir, package_path).rstrip(os.path.sep)
else:
roots: t.List[str] = []

Expand Down Expand Up @@ -326,7 +329,9 @@ def __init__(
def get_source(
self, environment: "Environment", template: str
) -> t.Tuple[str, str, t.Optional[t.Callable[[], bool]]]:
p = os.path.join(self._template_root, *split_template_path(template))
# Use posixpath even on Windows to avoid "drive:" or UNC
# segments breaking out of the search directory.
p = posixpath.join(self._template_root, *split_template_path(template))
up_to_date: t.Optional[t.Callable[[], bool]]

if self._archive is None:
Expand Down
7 changes: 4 additions & 3 deletions tests/test_loader.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import importlib.util
import os
import platform
import posixpath
import shutil
import sys
import tempfile
Expand Down Expand Up @@ -303,7 +304,7 @@ def package_dir_loader(monkeypatch):
def test_package_dir_source(package_dir_loader, template, expect):
source, name, up_to_date = package_dir_loader.get_source(None, template)
assert source.rstrip() == expect
assert name.endswith(os.path.join(*split_template_path(template)))
assert name.endswith(posixpath.join(*split_template_path(template)))
assert up_to_date()


Expand All @@ -325,7 +326,7 @@ def package_file_loader(monkeypatch):
def test_package_file_source(package_file_loader, template, expect):
source, name, up_to_date = package_file_loader.get_source(None, template)
assert source.rstrip() == expect
assert name.endswith(os.path.join(*split_template_path(template)))
assert name.endswith(posixpath.join(*split_template_path(template)))
assert up_to_date()


Expand All @@ -348,7 +349,7 @@ def package_zip_loader(monkeypatch):
def test_package_zip_source(package_zip_loader, template, expect):
source, name, up_to_date = package_zip_loader.get_source(None, template)
assert source.rstrip() == expect
assert name.endswith(os.path.join(*split_template_path(template)))
assert name.endswith(posixpath.join(*split_template_path(template)))
assert up_to_date is None


Expand Down

0 comments on commit ede0f98

Please sign in to comment.