fix(help): mitigate security fix for docs

Signed-off-by: Ameya Shenoy <shenoy.ameya@gmail.com>
2018-10-30 17:13:00 +05:30 · 2018-10-30 17:13:00 +05:30 · dd0e7ba472
commit dd0e7ba472
parent 3afb9ebcbc
2 changed files with 6 additions and 4 deletions
--- a/frappe/utils/help.py
+++ b/frappe/utils/help.py
@ -143,7 +143,7 @@ class HelpDatabase(object):
 							with io.open(fpath, 'r', encoding = 'utf-8') as f:
 								try:
 									content = frappe.render_template(f.read(),
-										{'docs_base_url': '/assets/{app}_docs'.format(app=app)})
+										{'docs_base_url': '/assets/{app}_docs'.format(app=app)}, safe_render=False)

 									relpath = self.get_out_path(fpath)
 									relpath = relpath.replace("user", app)
--- a/frappe/utils/jinja.py
+++ b/frappe/utils/jinja.py
@ -50,12 +50,14 @@ def validate_template(html):
 		frappe.msgprint('Line {}: {}'.format(e.lineno, e.message))
 		frappe.throw(frappe._("Syntax error in template"))

-def render_template(template, context, is_path=None):
+def render_template(template, context, is_path=None, safe_render=True):
 	'''Render a template using Jinja

 	:param template: path or HTML containing the jinja template
 	:param context: dict of properties to pass to the template
-	:param is_path: (optional) assert that the `template` parameter is a path'''
+	:param is_path: (optional) assert that the `template` parameter is a path
+	:param safe_render: (optional) prevent server side scripting via jinja templating 
+	'''

 	from frappe import throw

@ -68,7 +70,7 @@ def render_template(template, context, is_path=None):
 		or (template.endswith('.html') and '\n' not in template)):
 		return get_jenv().get_template(template).render(context)
 	else:
-		if ".__" in template:
+		if safe_render and ".__" in template:
 			throw("Illegal template")
 		return get_jenv().from_string(template).render(context)