aboutsummaryrefslogtreecommitdiffhomepage
path: root/modules/caddyhttp/templates/tplcontext.go
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddyhttp/templates/tplcontext.go')
-rw-r--r--modules/caddyhttp/templates/tplcontext.go6
1 files changed, 6 insertions, 0 deletions
diff --git a/modules/caddyhttp/templates/tplcontext.go b/modules/caddyhttp/templates/tplcontext.go
index 8ba64200f..4c7c86e13 100644
--- a/modules/caddyhttp/templates/tplcontext.go
+++ b/modules/caddyhttp/templates/tplcontext.go
@@ -249,6 +249,12 @@ func (c *TemplateContext) executeTemplateInBuffer(tplName string, buf *bytes.Buf
func (c TemplateContext) funcPlaceholder(name string) string {
repl := c.Req.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
+
+ // For safety, we don't want to allow the file placeholder in
+ // templates because it could be used to read arbitrary files
+ // if the template contents were not trusted.
+ repl = repl.WithoutFile()
+
value, _ := repl.GetString(name)
return value
}