kallithea Files · init.d/kallithea-daemon-debian

Files @ b9b719fb4774

Branch filter:

Location: kallithea/init.d/kallithea-daemon-debian - annotation

b9b719fb4774 1.7 KiB text/plain Show Source Show as Raw Download as Raw

Thomas De Schampheleire

search: fix XSS vulnerability in search results

The search feature did not correctly escape all arguments when displaying
search matches and linking to the corresponding files.

An attacker that can control the contents of a repository could thus cause
a cross-site scripting (XSS) vulnerability.

Fix the problem by removing the overall h.literal call that is only needed
for the HTML entity » and splitting the link instead.

We take the opportunity to improving the destination of the part before
» which is the path to the repository. Instead of pointing to the
search result, point to the repository itself.
The part after » remains linked to the file containing the search
match.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).

99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
e285bb7abb28
99ad9d0af1a3
e285bb7abb28
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
e285bb7abb28
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
e285bb7abb28
99ad9d0af1a3
e285bb7abb28
99ad9d0af1a3
99ad9d0af1a3
e285bb7abb28
99ad9d0af1a3
e285bb7abb28
99ad9d0af1a3
e285bb7abb28
2c3d30095d5e
e285bb7abb28
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
2c3d30095d5e
e285bb7abb28
e285bb7abb28
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
e285bb7abb28
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
e285bb7abb28
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
e285bb7abb28
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
e285bb7abb28
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
e285bb7abb28

#!/bin/sh -e
########################################
#### THIS IS A DEBIAN INIT.D SCRIPT ####
########################################

### BEGIN INIT INFO
# Provides:          kallithea
# Required-Start:    $all
# Required-Stop:     $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts instance of kallithea
# Description:       starts instance of kallithea using start-stop-daemon
### END INIT INFO

APP_NAME="kallithea"
APP_HOMEDIR="opt"
APP_PATH="/$APP_HOMEDIR/$APP_NAME"

CONF_NAME="production.ini"

PID_PATH="$APP_PATH/$APP_NAME.pid"
LOG_PATH="$APP_PATH/$APP_NAME.log"

PYTHON_PATH="/$APP_HOMEDIR/$APP_NAME-venv"

RUN_AS="root"

DAEMON="$PYTHON_PATH/bin/gearbox"

DAEMON_OPTS="serve --daemon \
 --user=$RUN_AS \
 --group=$RUN_AS \
 --pid-file=$PID_PATH \
 --log-file=$LOG_PATH -c $APP_PATH/$CONF_NAME"


start() {
  echo "Starting $APP_NAME"
  PYTHON_EGG_CACHE="/tmp" start-stop-daemon -d $APP_PATH \
      --start --quiet \
      --pidfile $PID_PATH \
      --user $RUN_AS \
      --exec $DAEMON -- $DAEMON_OPTS
}

stop() {
  echo "Stopping $APP_NAME"
  start-stop-daemon -d $APP_PATH \
      --stop --quiet \
      --pidfile $PID_PATH || echo "$APP_NAME - Not running!"

  if [ -f $PID_PATH ]; then
    rm $PID_PATH
  fi
}

status() {
  echo -n "Checking status of $APP_NAME ... "
  pid=`cat $PID_PATH`
  status=`ps ax | grep $pid | grep -ve grep`
  if [ "$?" -eq 0 ]; then
    echo "running"
  else
    echo "NOT running"
  fi
}

case "$1" in
  status)
   status
    ;;
  start)
    start
    ;;
  stop)
    stop
    ;;
  restart)
    echo "Restarting $APP_NAME"
    ### stop ###
    stop
    wait
    ### start ###
    start
    ;;
  *)
    echo "Usage: $0 {start|stop|restart}"
    exit 1
esac