Files
@ 603f5f7c323d
Branch filter:
Location: kallithea/init.d/celeryd-upstart.conf - annotation
603f5f7c323d
904 B
text/plain
pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted
If a user first or last name contains javascript, these fields need proper
escaping to avoid XSS attacks.
An example scenario is:
- the malicious user creates a repository. This will cause this user to be
listed automatically under 'Potential Reviewers' in pull requests.
- another user creates a pull request on that repository and selects the
suggested reviewer from the 'Potential Reviewers' list.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
Technical note: the other caller of addReviewMember in base.js itself does
_not_ need to be adapted to escape the input values, because the input
values (oData) are _already_ escaped (by the YUI framework).
If a user first or last name contains javascript, these fields need proper
escaping to avoid XSS attacks.
An example scenario is:
- the malicious user creates a repository. This will cause this user to be
listed automatically under 'Potential Reviewers' in pull requests.
- another user creates a pull request on that repository and selects the
suggested reviewer from the 'Potential Reviewers' list.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
Technical note: the other caller of addReviewMember in base.js itself does
_not_ need to be adapted to escape the input values, because the input
values (oData) are _already_ escaped (by the YUI framework).
99ad9d0af1a3 58df0b3ed377 58df0b3ed377 58df0b3ed377 24c0d584ba86 58df0b3ed377 58df0b3ed377 99ad9d0af1a3 99ad9d0af1a3 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 99ad9d0af1a3 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 99ad9d0af1a3 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 | # celeryd - run the celeryd daemon as an upstart job for kallithea
# Change variables/paths as necessary and place file /etc/init/celeryd.conf
# start/stop/restart as normal upstart job (ie: $ start celeryd)
description "Celery for Kallithea Mercurial Server"
author "Matt Zuba <matt.zuba@goodwillaz.org"
start on starting kallithea
stop on stopped kallithea
respawn
umask 0022
env PIDFILE=/tmp/celeryd.pid
env APPINI=/var/hg/kallithea/production.ini
env HOME=/var/hg
env USER=hg
# To use group (if different from user), you must edit sudoers file and change
# root's entry from (ALL) to (ALL:ALL)
# env GROUP=hg
script
COMMAND="/var/hg/.virtualenvs/kallithea/bin/paster celeryd $APPINI --pidfile=$PIDFILE"
if [ -z "$GROUP" ]; then
exec sudo -u $USER $COMMAND
else
exec sudo -u $USER -g $GROUP $COMMAND
fi
end script
post-stop script
rm -f $PIDFILE
end script
|