Fix #387: Template lookup found files in workdir, even if TEMPLATE_PATH did not contain '.'.

The template path list is now obeyed (with an exception for templates with an explicit absolute path).

The next release will tighten the rules a bit further: TEMPLATE_PATH must not be empty, and absolute paths are
considered relative, too. This ensures that only templates from within TEMPLATE_PATH directries are loaded.

1 files changed, 12 insertions, 4 deletions

diff --git a/bottle.py b/bottle.py
index 15a55d9..ee870b6 100644
--- a/bottle.py
+++ b/bottle.py
@@ -2799,11 +2799,19 @@ class BaseTemplate(object):
     def search(cls, name, lookup=[]):
         """ Search name in all directories specified in lookup.
         First without, then with common extensions. Return first hit. """
-        if os.path.isfile(name): return name
+        if not lookup:
+            depr('The template lookup path list should not be empty.')
+            lookup = ['.']
+
+        if os.path.isabs(name) and os.path.isfile(name):
+            depr('Absolute template path names are deprecated.')
+            return os.path.abspath(name)
+
         for spath in lookup:
-            fname = os.path.join(spath, name)
-            if os.path.isfile(fname):
-                return fname
+            spath = os.path.abspath(spath) + os.sep
+            fname = os.path.abspath(os.path.join(spath, name))
+            if not fname.startswith(spath): continue
+            if os.path.isfile(fname): return fname
             for ext in cls.extensions:
                 if os.path.isfile('%s.%s' % (fname, ext)):
                     return '%s.%s' % (fname, ext)