Files
@ 109b068ba6e5
Branch filter:
Location: kallithea/init.d/kallithea-daemon-debian - annotation
109b068ba6e5
1.7 KiB
text/plain
templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS
On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 e285bb7abb28 2c3d30095d5e e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 2c3d30095d5e e285bb7abb28 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 | #!/bin/sh -e
########################################
#### THIS IS A DEBIAN INIT.D SCRIPT ####
########################################
### BEGIN INIT INFO
# Provides: kallithea
# Required-Start: $all
# Required-Stop: $all
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: starts instance of kallithea
# Description: starts instance of kallithea using start-stop-daemon
### END INIT INFO
APP_NAME="kallithea"
APP_HOMEDIR="opt"
APP_PATH="/$APP_HOMEDIR/$APP_NAME"
CONF_NAME="production.ini"
PID_PATH="$APP_PATH/$APP_NAME.pid"
LOG_PATH="$APP_PATH/$APP_NAME.log"
PYTHON_PATH="/$APP_HOMEDIR/$APP_NAME-venv"
RUN_AS="root"
DAEMON="$PYTHON_PATH/bin/gearbox"
DAEMON_OPTS="serve --daemon \
--user=$RUN_AS \
--group=$RUN_AS \
--pid-file=$PID_PATH \
--log-file=$LOG_PATH -c $APP_PATH/$CONF_NAME"
start() {
echo "Starting $APP_NAME"
PYTHON_EGG_CACHE="/tmp" start-stop-daemon -d $APP_PATH \
--start --quiet \
--pidfile $PID_PATH \
--user $RUN_AS \
--exec $DAEMON -- $DAEMON_OPTS
}
stop() {
echo "Stopping $APP_NAME"
start-stop-daemon -d $APP_PATH \
--stop --quiet \
--pidfile $PID_PATH || echo "$APP_NAME - Not running!"
if [ -f $PID_PATH ]; then
rm $PID_PATH
fi
}
status() {
echo -n "Checking status of $APP_NAME ... "
pid=`cat $PID_PATH`
status=`ps ax | grep $pid | grep -ve grep`
if [ "$?" -eq 0 ]; then
echo "running"
else
echo "NOT running"
fi
}
case "$1" in
status)
status
;;
start)
start
;;
stop)
stop
;;
restart)
echo "Restarting $APP_NAME"
### stop ###
stop
wait
### start ###
start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
|