Files
@ c7728c5736fd
Branch filter:
Location: kallithea/docs/usage/troubleshooting.rst - annotation
c7728c5736fd
2.3 KiB
text/prs.fallenstein.rst
templates: narrow down scope of webhelpers.html.literal for HTML injection
When using webhelpers.html.literal to inject some explicit HTML code with
some variable data, there are two approaches:
h.literal('some <html> code with %s data' % foobar)
or
h.literal('some <html> code with %s data') % foobar
In the first case, the literal also applies to the contents of variable
'foobar' which may be influenceable by users and thus potentially malicious.
In the second case, this term will be escaped by webhelpers.
See also the documentation:
https://docs.pylonsproject.org/projects/webhelpers/en/latest/modules/html/builder.html#webhelpers.html.builder.literal
"Also, if you add another string to this string, the other string will
be quoted and you will get back another literal object. Also
literal(...) % obj will quote any value(s) from obj."
In files_browser.html, the correction of this scope of literal() also means
that explicit escaping of node.name can be removed. The escaping is now done
automatically by webhelpers as mentioned above.
When using webhelpers.html.literal to inject some explicit HTML code with
some variable data, there are two approaches:
h.literal('some <html> code with %s data' % foobar)
or
h.literal('some <html> code with %s data') % foobar
In the first case, the literal also applies to the contents of variable
'foobar' which may be influenceable by users and thus potentially malicious.
In the second case, this term will be escaped by webhelpers.
See also the documentation:
https://docs.pylonsproject.org/projects/webhelpers/en/latest/modules/html/builder.html#webhelpers.html.builder.literal
"Also, if you add another string to this string, the other string will
be quoted and you will get back another literal object. Also
literal(...) % obj will quote any value(s) from obj."
In files_browser.html, the correction of this scope of literal() also means
that explicit escaping of node.name can be removed. The escaping is now done
automatically by webhelpers as mentioned above.
aa90719e8520 aa90719e8520 aa90719e8520 aa90719e8520 aa90719e8520 aa90719e8520 aa90719e8520 4e6dfdb3fa01 8b8edfc25856 aa90719e8520 4e6dfdb3fa01 8b8edfc25856 8b8edfc25856 aa90719e8520 aa90719e8520 4e6dfdb3fa01 4e6dfdb3fa01 aa90719e8520 aa90719e8520 8b8edfc25856 aa90719e8520 4e6dfdb3fa01 4e6dfdb3fa01 8b8edfc25856 8b8edfc25856 aa90719e8520 aa90719e8520 4e6dfdb3fa01 4e6dfdb3fa01 aa90719e8520 aa90719e8520 aa90719e8520 aa90719e8520 aa90719e8520 4e6dfdb3fa01 aa90719e8520 aa90719e8520 aa90719e8520 aa90719e8520 4e6dfdb3fa01 4e6dfdb3fa01 aa90719e8520 aa90719e8520 aa90719e8520 03bbd33bc084 4e6dfdb3fa01 4e6dfdb3fa01 4e6dfdb3fa01 4e6dfdb3fa01 4e6dfdb3fa01 4e6dfdb3fa01 aa90719e8520 aa90719e8520 aa90719e8520 03bbd33bc084 03bbd33bc084 aa90719e8520 af2059eead28 af2059eead28 af2059eead28 03bbd33bc084 4a99684543f7 4a99684543f7 4a99684543f7 4a99684543f7 84d2a9aaa1a4 4e6dfdb3fa01 4a99684543f7 af2059eead28 aa90719e8520 aa90719e8520 cc21a2b86a30 aa90719e8520 aa90719e8520 aa90719e8520 | .. _troubleshooting:
===============
Troubleshooting
===============
:Q: **Missing static files?**
:A: Make sure either to set the ``static_files = true`` in the .ini file or
double check the root path for your http setup. It should point to
for example:
``/home/my-virtual-python/lib/python2.7/site-packages/kallithea/public``
|
:Q: **Can't install celery/rabbitmq?**
:A: Don't worry. Kallithea works without them, too. No extra setup is required.
Try out the great Celery docs for further help.
|
:Q: **Long lasting push timeouts?**
:A: Make sure you set a longer timeout in your proxy/fcgi settings. Timeouts
are caused by the http server and not Kallithea.
|
:Q: **Large pushes timeouts?**
:A: Make sure you set a proper ``max_body_size`` for the http server. Very often
Apache, Nginx, or other http servers kill the connection due to to large
body.
|
:Q: **Apache doesn't pass basicAuth on pull/push?**
:A: Make sure you added ``WSGIPassAuthorization true``.
|
:Q: **Git fails on push/pull?**
:A: Make sure you're using a WSGI http server that can handle chunked encoding
such as ``waitress`` or ``gunicorn``.
|
:Q: **How can I use hooks in Kallithea?**
:A: It's easy if they are Python hooks: just use advanced link in
hooks section in Admin panel, that works only for Mercurial. If
you want to use Git hooks, just install th proper one in the repository,
e.g., create a file `/gitrepo/hooks/pre-receive`. You can also use
Kallithea-extensions to connect to callback hooks, for both Git
and Mercurial.
|
:Q: **Kallithea is slow for me, how can I make it faster?**
:A: See the :ref:`performance` section.
|
:Q: **UnicodeDecodeError on Apache mod_wsgi**
:A: Please read: https://docs.djangoproject.com/en/dev/howto/deployment/wsgi/modwsgi/#if-you-get-a-unicodeencodeerror.
|
:Q: **Requests hanging on Windows**
:A: Please try out with disabled Antivirus software, there are some known problems with Eset Antivirus. Make sure
you have installed the latest Windows patches (especially KB2789397).
.. _virtualenv: http://pypi.python.org/pypi/virtualenv
.. _python: http://www.python.org/
.. _mercurial: https://www.mercurial-scm.org/
.. _celery: http://celeryproject.org/
.. _rabbitmq: http://www.rabbitmq.com/
.. _python-ldap: http://www.python-ldap.org/
|