Files
@ 391fde4cbf12
Branch filter:
Location: kallithea/init.d/kallithea-upstart.conf - annotation
391fde4cbf12
759 B
text/plain
base: escape branch/tag/bookmark names in 'Switch To' menu to prevent XSS
On repository pages, the 'Switch To' did not escape branches correctly.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks with
.html_escape() .
On repository pages, the 'Switch To' did not escape branches correctly.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks with
.html_escape() .
99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 e285bb7abb28 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 99ad9d0af1a3 2c3d30095d5e 99ad9d0af1a3 99ad9d0af1a3 e285bb7abb28 99ad9d0af1a3 | # kallithea - run the kallithea daemon as an upstart job
# Change variables/paths as necessary and place file /etc/init/kallithea.conf
# start/stop/restart as normal upstart job (ie: $ start kallithea)
description "Kallithea Mercurial Server"
author "Matt Zuba <matt.zuba@goodwillaz.org"
start on (local-filesystems and runlevel [2345])
stop on runlevel [!2345]
respawn
umask 0022
env PIDFILE=/var/hg/kallithea/kallithea.pid
env LOGFILE=/var/hg/kallithea/log/kallithea.log
env APPINI=/var/hg/kallithea/production.ini
env HOME=/var/hg
env USER=hg
env GROUP=hg
exec /var/hg/.virtualenvs/kallithea/bin/gearbox serve --user=$USER --group=$GROUP --pid-file=$PIDFILE --log-file=$LOGFILE -c $APPINI
post-stop script
rm -f $PIDFILE
end script
|