Files
@ 603f5f7c323d
Branch filter:
Location: kallithea/scripts/make-release - annotation
603f5f7c323d
2.3 KiB
text/plain
pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted
If a user first or last name contains javascript, these fields need proper
escaping to avoid XSS attacks.
An example scenario is:
- the malicious user creates a repository. This will cause this user to be
listed automatically under 'Potential Reviewers' in pull requests.
- another user creates a pull request on that repository and selects the
suggested reviewer from the 'Potential Reviewers' list.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
Technical note: the other caller of addReviewMember in base.js itself does
_not_ need to be adapted to escape the input values, because the input
values (oData) are _already_ escaped (by the YUI framework).
If a user first or last name contains javascript, these fields need proper
escaping to avoid XSS attacks.
An example scenario is:
- the malicious user creates a repository. This will cause this user to be
listed automatically under 'Potential Reviewers' in pull requests.
- another user creates a pull request on that repository and selects the
suggested reviewer from the 'Potential Reviewers' list.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
Technical note: the other caller of addReviewMember in base.js itself does
_not_ need to be adapted to escape the input values, because the input
values (oData) are _already_ escaped (by the YUI framework).
d4f66ca15110 d4f66ca15110 d4f66ca15110 d4f66ca15110 f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa f5b5749113aa d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d4f66ca15110 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d4f66ca15110 d4f66ca15110 d06c0566cb23 d4f66ca15110 d4f66ca15110 d4f66ca15110 d06c0566cb23 d4f66ca15110 d4f66ca15110 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d4f66ca15110 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 d4f66ca15110 d06c0566cb23 d4f66ca15110 d06c0566cb23 d06c0566cb23 d4f66ca15110 d4f66ca15110 d4f66ca15110 d4f66ca15110 d4f66ca15110 d06c0566cb23 d4f66ca15110 d4f66ca15110 d4f66ca15110 d4f66ca15110 d06c0566cb23 d4f66ca15110 d4f66ca15110 d4f66ca15110 d4f66ca15110 d06c0566cb23 d06c0566cb23 d06c0566cb23 d06c0566cb23 | #!/bin/bash
set -e
set -x
cleanup()
{
echo "Removing venv $venv"
rm -rf "$venv"
}
echo "Checking that you are NOT inside a virtualenv"
[ -z "$VIRTUAL_ENV" ]
venv=$(mktemp -d --tmpdir kallithea-release-XXXXX)
trap cleanup EXIT
echo "Setting up a fresh virtualenv in $venv"
virtualenv -p python2 "$venv"
. "$venv/bin/activate"
echo "Install/verify tools needed for building and uploading stuff"
pip install --upgrade -e .
pip install --upgrade Sphinx Sphinx-PyPI-upload
echo "Cleanup and update copyrights ... and clean checkout"
scripts/whitespacecleanup.sh
scripts/update-copyrights.py
hg up -cr .
echo "Make release build from clean checkout in build/"
rm -rf build dist
hg archive build
cd build
echo "Check MANIFEST.in"
sed -e 's/[^ ]*[ ]*\([^ ]*\).*/\1/g' MANIFEST.in | grep -v '^node_modules/bootstrap\|^kallithea/public/css/style.css' | xargs ls -lad
echo "Build dist"
python2 setup.py compile_catalog
python2 setup.py sdist
echo "Verify VERSION from kallithea/__init__.py"
namerel=$(cd dist && echo Kallithea-*.tar.gz)
namerel=${namerel%.tar.gz}
version=${namerel#Kallithea-}
ls -l $(pwd)/dist/$namerel.tar.gz
echo "Releasing Kallithea $version in directory $namerel"
echo "Verify dist file content"
! tar tf dist/Kallithea-$version.tar.gz | grep "$namerel/node_modules/bootstrap/\$"
echo "Verify docs build"
python2 setup.py build_sphinx # not used yet ... but we want to make sure it builds
cat - << EOT
Now, make sure
* all tests are passing
* release note is ready
* announcement is ready
* source has been pushed to https://kallithea-scm.org/repos/kallithea
EOT
echo "Verify current revision is tagged for $version"
hg log -r "'$version'&." | grep .
echo -n "Enter \"pypi\" to upload Kallithea $version to pypi: "
read answer
[ "$answer" = "pypi" ]
echo "Upload docs to pypi"
# See https://wiki.python.org/moin/PyPiDocumentationHosting
python2 setup.py build_sphinx upload_sphinx
xdg-open http://packages.python.org/Kallithea/installation.html
echo "Rebuild readthedocs for docs.kallithea-scm.org"
xdg-open https://readthedocs.org/projects/kallithea/
curl -X POST http://readthedocs.org/build/kallithea
xdg-open https://readthedocs.org/builds/kallithea/
xdg-open http://docs.kallithea-scm.org/en/latest/ # or whatever the branch is
extraargs=${EMAIL:+--identity=$EMAIL}
python2 setup.py sdist upload --sign $extraargs
xdg-open https://pypi.python.org/pypi/Kallithea
|