Files
@ ddad3be4dc44
Branch filter:
Location: kallithea/scripts/shortlog.py - annotation
ddad3be4dc44
1.0 KiB
text/x-python
changeset: fix XSS vulnerability in parent-child navigation
The 'Parent Rev.' - 'Child Rev.' links on changesets and in the file browser
normally immediately jump to the correct revision upon click. But, if there
are multiple candidates, e.g. two children of a commit, then a list of
revisions is shown as hyperlinks instead.
These hyperlinks have a 'title' attribute containing the full commit message
of the corresponding commit. When this commit message contains characters
special to HTML, like ", >, etc. they were added literally to the HTML code.
This can lead to a cross-site scripting (XSS) vulnerability when an attacker
has write access to a repository. They could craft a special commit message
that would introduce HTML and/or JavaScript code when the commit is listed
in such 'parent-child' navigation links.
Escape the commit message before using it further.
The 'Parent Rev.' - 'Child Rev.' links on changesets and in the file browser
normally immediately jump to the correct revision upon click. But, if there
are multiple candidates, e.g. two children of a commit, then a list of
revisions is shown as hyperlinks instead.
These hyperlinks have a 'title' attribute containing the full commit message
of the corresponding commit. When this commit message contains characters
special to HTML, like ", >, etc. they were added literally to the HTML code.
This can lead to a cross-site scripting (XSS) vulnerability when an attacker
has write access to a repository. They could craft a special commit message
that would introduce HTML and/or JavaScript code when the commit is listed
in such 'parent-child' navigation links.
Escape the commit message before using it further.
30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 30e3d0a14f09 | #!/usr/bin/env python2
# -*- coding: utf-8 -*-
"""
Kallithea script for generating a quick overview of contributors and their
commit counts in a given revision set.
"""
import argparse
import os
from collections import Counter
import contributor_data
def main():
parser = argparse.ArgumentParser(description='Generate a list of committers and commit counts.')
parser.add_argument('revset',
help='revision set specifying the commits to count')
args = parser.parse_args()
repo_entries = [
(contributor_data.name_fixes.get(name) or contributor_data.name_fixes.get(name.rsplit('<', 1)[0].strip()) or name).rsplit('<', 1)[0].strip()
for name in (line.strip()
for line in os.popen("""hg log -r '%s' -T '{author}\n'""" % args.revset).readlines())
]
counter = Counter(repo_entries)
for name, count in counter.most_common():
if name == '':
continue
print('%4s %s' % (count, name))
if __name__ == '__main__':
main()
|