Fix path traversal via backslash URI on Windows in TemplateLookup

The URI normalization in TemplateLookup.get_template() used posixpath
which treats backslash as a literal character, but os.path.isfile()
on Windows treats it as a path separator.  A URI such as
"\..\secret.txt" could bypass the directory traversal check.
Backslash characters in URIs are now normalized to forward slashes
before path resolution in both get_template() and Template.__init__.

Fixes: #435
Change-Id: I68badd0f4f07ec086a1c609de335d7366daac6ef

Author: zzzeek

doc/build/unreleased/435.rst

@@ -0,0 +1,10 @@
+.. change::
+    :tags: bug, template
+    :tickets: 435
+
+    Fixed issue in :class:`.TemplateLookup` where a URI with backslash path
+    separators (e.g. ``\..\secret.txt``) could bypass the directory traversal
+    check on Windows, allowing reads of arbitrary files outside of the template
+    directory.  This is an incomplete fix for :cve:`2026-41205`.  Backslash
+    characters in URIs are now normalized to forward slashes before path
+    resolution.

mako/lookup.py

@@ -241,7 +241,7 @@ def get_template(self, uri):
             else:
                 return self._collection[uri]
         except KeyError as e:
-            u = re.sub(r"^\/+", "", uri)
+            u = re.sub(r"^\/+", "", uri.replace("\\", "/"))
             for dir_ in self.directories:
                 # make sure the path seperators are posix - os.altsep is empty
                 # on POSIX and cannot be used.

mako/template.py

@@ -259,7 +259,7 @@ def __init__(
             self.module_id = "memory:" + hex(id(self))
             self.uri = self.module_id
 
-        u_norm = self.uri.lstrip("/")
+        u_norm = self.uri.replace("\\", "/").lstrip("/")
         u_norm = os.path.normpath(u_norm)
         if u_norm.startswith(".."):
             raise exceptions.TemplateLookupException(

test/test_lookup.py

@@ -168,6 +168,46 @@ def test_dont_accept_relative_outside_of_root_via_double_slash(self):
                 "///" + rel,
             )
 
+    def test_dont_accept_relative_outside_of_root_via_backslash(self):
+        """test that backslash traversal URI can't bypass the
+        path traversal check"""
+        with tempfile.TemporaryDirectory() as base:
+            tmpl_dir = os.path.join(base, "app", "templates")
+            os.makedirs(tmpl_dir)
+            with open(os.path.join(tmpl_dir, "index.html"), "w") as f:
+                f.write("Hello")
+
+            secret = os.path.join(base, "secrets", "creds.txt")
+            os.makedirs(os.path.dirname(secret))
+            with open(secret, "w") as f:
+                f.write("SECRET_KEY=supersecret123")
+
+            tl = lookup.TemplateLookup(directories=[tmpl_dir])
+            rel = os.path.relpath(secret, tmpl_dir).replace("/", "\\")
+
+            assert_raises_message(
+                exceptions.TemplateLookupException,
+                "cannot be relative outside of the root path",
+                tl.get_template,
+                rel,
+            )
+
+            # with leading backslash
+            assert_raises_message(
+                exceptions.TemplateLookupException,
+                "cannot be relative outside of the root path",
+                tl.get_template,
+                "\\" + rel,
+            )
+
+            # with leading forward slash
+            assert_raises_message(
+                exceptions.TemplateLookupException,
+                "cannot be relative outside of the root path",
+                tl.get_template,
+                "/" + rel,
+            )
+
     def test_checking_against_bad_filetype(self):
         with tempfile.TemporaryDirectory() as tempdir:
             tl = lookup.TemplateLookup(directories=[tempdir])