Files
@ 109b068ba6e5
Branch filter:
Location: kallithea/scripts/validate-commits - annotation
109b068ba6e5
1.4 KiB
text/plain
templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS
On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 | #!/usr/bin/env bash
# Validate the specified commits against test suite and other checks.
if [ -n "$VIRTUAL_ENV" ]; then
echo "Please run this script from outside a virtualenv."
exit 1
fi
if ! hg update --check -q .; then
echo "Working dir is not clean, please commit/revert changes first."
exit 1
fi
venv=$(mktemp -d kallithea-validatecommits-env-XXXXXX)
resultfile=$(mktemp kallithea-validatecommits-result-XXXXXX)
echo > "$resultfile"
cleanup()
{
rm -rf /tmp/kallithea-test*
rm -rf "$venv"
}
finish()
{
cleanup
# print (possibly intermediate) results
cat "$resultfile"
rm "$resultfile"
}
trap finish EXIT
for rev in $(hg log -r "$1" -T '{node}\n'); do
hg log -r "$rev"
hg update "$rev"
cleanup
virtualenv -p "$(command -v python2)" "$venv"
source "$venv/bin/activate"
pip install --upgrade pip setuptools
pip install -e .
pip install -r dev_requirements.txt
pip install python-ldap python-pam
# run-all-cleanup
scripts/run-all-cleanup
if ! hg update --check -q .; then
echo "run-all-cleanup did not give clean results!"
result="NOK"
hg diff
hg revert -a
else
result=" OK"
fi
echo "$result: $rev (run-all-cleanup)" >> "$resultfile"
# pytest
if py.test; then
result=" OK"
else
result="NOK"
fi
echo "$result: $rev (pytest)" >> "$resultfile"
deactivate
echo
done
|