mathewmarcus
mathewmarcus
Ok got it. In that case, I've noticed that the Partials functionality allows for reading of arbitrary files. For example, given the following template (template.mustache): ``` {{> ../../../../../../../etc/passwd}} ``` the...
I believe this behavior stems from these lines here: https://github.com/cbroglie/mustache/blob/master/partials.go#L33-L48. Specifically, the default `FileProvider` defaults the `Paths` to the current directory (https://github.com/cbroglie/mustache/blob/master/mustache.go#L718) and `Extensions` to `"", ".mustache", ".stache"`. Then, because...
The scenario in which I could see it being in issue is one where - for example - a webapp uses this library to render arbitrary templates supplied by external...
@bugeats @izieg-lo3 you are absolutely right, `apispec-chalice` does need to be updated to be compatible with the newer versions of `apispec`. Unfortunately, I do not have the capacity to do...