RE: [Templates] "calculated" path to template

Fri, 03 Feb 2006 08:00:39 -0800 

I hadn't considered the "security" issues, particularly because it's not
an issue in my implementation, but I see your point. Rather than forcing
you to disable feature, it should probably be made available only with
an explicit "EXPOSE_PATH_INFO => 1" option (or something like that.)
Here's an attempt at a patch that addresses this concern:

--- Template/Provider.pm     2004-01-30 13:37:50.000000000 -0500
+++ Provider.pm 2006-02-03 10:49:05.000000000 -0500
@@ -841,6 +841,8 @@
             'modtime' => $data->{ time },
             %{ $parsedoc->{ METADATA } },
         };
+        $parsedoc->{ METADATA }{ path } = $data->{ path }
+            if $self->{ EXPOSE_PATH_INFO };

         # write the Perl code to the file $compfile, if defined
         if ($compfile) {

[EMAIL PROTECTED] wrote:
> 
> Sorry I haven't taken a close look at this code in context, 
> but would I be
> correct in thinking that this would give the template coder 
> access to  the
> full path name?  Because I personally have reasons for wanting to keep
> someone with template access from knowing full system paths.  
> So if there
> wasn't a way to disable such access at the code level, I'd be wary of
> this.
> 
> -Stephen
> 
> > As long as Template::Provider is being patched for a new release, is
> > there any chance of adding an additional piece of info to the
> > template/component hash? I've encountered situations, when 
> I'm using a
> > list of INCLUDE_PATHs, where it would be useful to have 
> access to the
> > calculated full path to the actual template file.
> >
> > If I'm not mistaken, this would only require a one-line 
> addition to the
> > _compile() method. I haven't done much patching, so forgive 
> me if this
> > isn't correctly formatted:
> >
> > --- Template/Provider.pm     2004-01-30 13:37:50.000000000 -0500
> > +++ Provider.pm 2006-02-02 13:19:59.000000000 -0500
> > @@ -839,6 +839,7 @@
> >          $parsedoc->{ METADATA } = {
> >              'name'    => $data->{ name },
> >              'modtime' => $data->{ time },
> > +            'path'    => $data->{ path },
> >              %{ $parsedoc->{ METADATA } },
> >          };
> >
> > The key name "path" is merely a suggestion, but I hope the 
> concept makes
> > sense. Comments, anyone?
> >
> > Jason
> >
> > Jason Gottshall
> > [EMAIL PROTECTED]
 

_______________________________________________
templates mailing list
[email protected]
http://lists.template-toolkit.org/mailman/listinfo/templates

Reply via email to