Files @ c9bd000a4567
Branch filter:

Location: kallithea/docs/usage/backup.rst - annotation

c9bd000a4567 512 B text/prs.fallenstein.rst Show Source Show as Raw Download as Raw
Mads Kiilerich
templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS

On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
af371e206ec5
af371e206ec5
17c9393e9645
e73a69cb98dc
af371e206ec5
af371e206ec5
af371e206ec5
af371e206ec5
af371e206ec5
af371e206ec5
e73a69cb98dc
af371e206ec5
fbbe80e3322b
af371e206ec5
af371e206ec5
af371e206ec5
4e6dfdb3fa01
4e6dfdb3fa01
af371e206ec5
af371e206ec5
af371e206ec5
af371e206ec5
af371e206ec5
e73a69cb98dc
af371e206ec5
af371e206ec5
4e6dfdb3fa01

.. _backup:

====================
Backing up Kallithea
====================


Settings
--------

Just copy your .ini file, it contains all Kallithea settings.


Whoosh index
------------

The Whoosh index is located in the ``data/index`` directory where you installed
Kallithea, i.e., the same place where the ini file is located


Database
--------

When using sqlite just copy kallithea.db.
Any other database engine requires a manual backup operation.

A database backup will contain all gathered statistics.
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.