Files
@ 391fde4cbf12
Branch filter:
Location: kallithea/scripts/generate-ini.py - annotation
391fde4cbf12
2.0 KiB
text/x-python
base: escape branch/tag/bookmark names in 'Switch To' menu to prevent XSS
On repository pages, the 'Switch To' did not escape branches correctly.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks with
.html_escape() .
On repository pages, the 'Switch To' did not escape branches correctly.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks with
.html_escape() .
06d5c043e989 06d5c043e989 451b3f9d814e 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 e3cce237d77c e3cce237d77c 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 fc6b1b0e1096 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 150173a027ee 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 94f6b23e52d0 06d5c043e989 665dfa112f2c 06d5c043e989 06d5c043e989 06d5c043e989 06d5c043e989 665dfa112f2c 06d5c043e989 06d5c043e989 d06039dc4ca2 06d5c043e989 94f6b23e52d0 94f6b23e52d0 06d5c043e989 06d5c043e989 06d5c043e989 | #!/usr/bin/env python2
"""
Based on kallithea/lib/paster_commands/template.ini.mako, generate development.ini
"""
import re
from kallithea.lib import inifile
# files to be generated from the mako template
ini_files = [
('development.ini',
{
'[server:main]': {
'host': '0.0.0.0',
},
'[app:main]': {
'debug': 'true',
'app_instance_uuid': 'development-not-secret',
'beaker.session.secret': 'development-not-secret',
},
'[handler_console]': {
'formatter': 'color_formatter',
},
'[handler_console_sql]': {
'formatter': 'color_formatter_sql',
},
'[logger_routes]': {
'level': 'DEBUG',
},
'[logger_beaker]': {
'level': 'DEBUG',
},
'[logger_templates]': {
'level': 'INFO',
},
'[logger_kallithea]': {
'level': 'DEBUG',
},
'[logger_tg]': {
'level': 'DEBUG',
},
'[logger_gearbox]': {
'level': 'DEBUG',
},
'[logger_whoosh_indexer]': {
'level': 'DEBUG',
},
},
),
]
def main():
# make sure all mako lines starting with '#' (the '##' comments) are marked up as <text>
makofile = inifile.template_file
print 'reading:', makofile
mako_org = open(makofile).read()
mako_no_text_markup = re.sub(r'</?%text>', '', mako_org)
mako_marked_up = re.sub(r'\n(##.*)', r'\n<%text>\1</%text>', mako_no_text_markup, flags=re.MULTILINE)
if mako_marked_up != mako_org:
print 'writing:', makofile
open(makofile, 'w').write(mako_marked_up)
# create ini files
for fn, settings in ini_files:
print 'updating:', fn
inifile.create(fn, None, settings)
if __name__ == '__main__':
main()
|