[Templates] Relative paths
Andy Wardley
abw@cre.canon.co.uk
Wed, 16 Aug 2000 15:56:09 +0100
On Aug 16, 2:56pm, Jonas Liljegren wrote:
> [% PROCESS '../site/front.html' %]
>
> I get the response:
>
> ../site/front.html: relative paths are not allowed (set RELATIVE option)
>
>
> This is a contradiction. Paths relative to the INCLUDE_PATH works if they
> are of the form path/to/template, but not if they say ../path/template. I
> think that '..' should be allowed.
The problem with allowing relative paths by default is that someone could
say:
[% INCLUDE ../../../../../../../../../etc/passwd %]
The INCLUDE_PATH is a way of saying "you can only get templates from
these directories, and no-where else". Allowing '..' would break
that and possibly be a security hazard.
> The RELATIVE option is for searching for templates relative to the current
> directory. Would anyone realy want to use that option?
Most often you wouldn't. But tpage and ttree rely on it, for example.
Remember that TT isn't just for web servers.
> This is hovever not correct. If I try:
>
> [% INSERT ../test/t2/banner.html %]
OK, that looks like a bug. I'll add it to the TODO list.
> One last thing. Then does TT2 beta 4 come out? ;-)
It comes out when you stop adding things to the TODO list. :-)=
A
--
Andy Wardley <abw@kfs.org> Signature regenerating. Please remain seated.
<abw@cre.canon.co.uk> For a good time: http://www.kfs.org/~abw/