Merge pull request #1621 from pallets/template-safe-path

use `posixpath.join` when loading template names

Author: davidism

CHANGES.rst

@@ -36,6 +36,9 @@ Unreleased
 -   The ``groupby`` filter is case-insensitive by default, matching
     other comparison filters. Added the ``case_sensitive`` parameter to
     control this. :issue:`1463`
+-   Windows drive-relative path segments in template names will not
+    result in ``FileSystemLoader`` and ``PackageLoader`` loading from
+    drive-relative paths. :pr:`1621`
 
 
 Version 3.0.3

src/jinja2/loaders.py

@@ -3,6 +3,7 @@
 """
 import importlib.util
 import os
+import posixpath
 import sys
 import typing as t
 import weakref
@@ -193,7 +194,9 @@ def get_source(
     ) -> t.Tuple[str, str, t.Callable[[], bool]]:
         pieces = split_template_path(template)
         for searchpath in self.searchpath:
-            filename = os.path.join(searchpath, *pieces)
+            # Use posixpath even on Windows to avoid "drive:" or UNC
+            # segments breaking out of the search directory.
+            filename = posixpath.join(searchpath, *pieces)
             f = open_if_exists(filename)
             if f is None:
                 continue
@@ -296,7 +299,7 @@ def __init__(
         if isinstance(loader, zipimport.zipimporter):
             self._archive = loader.archive
             pkgdir = next(iter(spec.submodule_search_locations))  # type: ignore
-            template_root = os.path.join(pkgdir, package_path)
+            template_root = os.path.join(pkgdir, package_path).rstrip(os.path.sep)
         else:
             roots: t.List[str] = []
 
@@ -326,7 +329,9 @@ def __init__(
     def get_source(
         self, environment: "Environment", template: str
     ) -> t.Tuple[str, str, t.Optional[t.Callable[[], bool]]]:
-        p = os.path.join(self._template_root, *split_template_path(template))
+        # Use posixpath even on Windows to avoid "drive:" or UNC
+        # segments breaking out of the search directory.
+        p = posixpath.join(self._template_root, *split_template_path(template))
         up_to_date: t.Optional[t.Callable[[], bool]]
 
         if self._archive is None:

tests/test_loader.py

@@ -3,6 +3,7 @@
 import importlib.util
 import os
 import platform
+import posixpath
 import shutil
 import sys
 import tempfile
@@ -303,7 +304,7 @@ def package_dir_loader(monkeypatch):
 def test_package_dir_source(package_dir_loader, template, expect):
     source, name, up_to_date = package_dir_loader.get_source(None, template)
     assert source.rstrip() == expect
-    assert name.endswith(os.path.join(*split_template_path(template)))
+    assert name.endswith(posixpath.join(*split_template_path(template)))
     assert up_to_date()
 
 
@@ -325,7 +326,7 @@ def package_file_loader(monkeypatch):
 def test_package_file_source(package_file_loader, template, expect):
     source, name, up_to_date = package_file_loader.get_source(None, template)
     assert source.rstrip() == expect
-    assert name.endswith(os.path.join(*split_template_path(template)))
+    assert name.endswith(posixpath.join(*split_template_path(template)))
     assert up_to_date()
 
 
@@ -348,7 +349,7 @@ def package_zip_loader(monkeypatch):
 def test_package_zip_source(package_zip_loader, template, expect):
     source, name, up_to_date = package_zip_loader.get_source(None, template)
     assert source.rstrip() == expect
-    assert name.endswith(os.path.join(*split_template_path(template)))
+    assert name.endswith(posixpath.join(*split_template_path(template)))
     assert up_to_date is None