Changeset - 391fde4cbf12
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Mads Kiilerich - 7 years ago 2019-02-27 02:30:18
mads@kiilerich.com
base: escape branch/tag/bookmark names in 'Switch To' menu to prevent XSS

On repository pages, the 'Switch To' did not escape branches correctly.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks with
.html_escape() .
1 file changed with 2 insertions and 2 deletions:
kallithea/templates/base/base.html
2
2
0 comments (0 inline, 0 general)
kallithea/templates/base/base.html
Show inline comments
 
@@ -101,196 +101,196 @@
 

			




	
	
	
		
 
        ## public/private

			




	
	
	
		
 
        %if c.db_repo.private:

			




	
	
	
		
 
          <i class="icon-lock"></i>

			




	
	
	
		
 
        %else:

			




	
	
	
		
 
          <i class="icon-globe"></i>

			




	
	
	
		
 
        %endif

			




	
	
	
		
 
        %for group in c.db_repo.groups_with_parents:

			




	
	
	
		
 
          ${h.link_to(group.name, url('repos_group_home', group_name=group.group_name), class_='navbar-link')}

			




	
	
	
		
 
          &raquo;

			




	
	
	
		
 
        %endfor

			




	
	
	
		
 
        ${h.link_to(c.db_repo.just_name, url('summary_home', repo_name=c.db_repo.repo_name), class_='navbar-link')}

			




	
	
	
		
 

			




	
	
	
		
 
        %if current == 'createfork':

			




	
	
	
		
 
         - ${_('Create Fork')}

			




	
	
	
		
 
        %endif

			




	
	
	
		
 
      </div>

			




	
	
	
		
 
      <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#context-pages" aria-expanded="false">

			




	
	
	
		
 
        <span class="sr-only">Toggle navigation</span>

			




	
	
	
		
 
        <span class="icon-bar"></span>

			




	
	
	
		
 
        <span class="icon-bar"></span>

			




	
	
	
		
 
        <span class="icon-bar"></span>

			




	
	
	
		
 
      </button>

			




	
	
	
		
 
    </div>

			




	
	
	
		
 
    <div id="context-pages" class="navbar-collapse collapse">

			




	
	
	
		
 
    <ul class="nav navbar-nav navbar-right">

			




	
	
	
		
 
        <li class="${'active' if current == 'summary' else ''}" data-context="summary"><a href="${h.url('summary_home', repo_name=c.repo_name)}"><i class="icon-doc-text"></i>${_('Summary')}</a></li>

			




	
	
	
		
 
        %if rev:

			




	
	
	
		
 
        <li class="${'active' if current == 'changelog' else ''}" data-context="changelog"><a href="${h.url('changelog_file_home', repo_name=c.repo_name, revision=rev, f_path='')}"><i class="icon-clock"></i>${_('Changelog')}</a></li>

			




	
	
	
		
 
        %else:

			




	
	
	
		
 
        <li class="${'active' if current == 'changelog' else ''}" data-context="changelog"><a href="${h.url('changelog_home', repo_name=c.repo_name)}"><i class="icon-clock"></i>${_('Changelog')}</a></li>

			




	
	
	
		
 
        %endif

			




	
	
	
		
 
        <li class="${'active' if current == 'files' else ''}" data-context="files"><a href="${h.url('files_home', repo_name=c.repo_name, revision=rev or 'tip')}"><i class="icon-doc-inv"></i>${_('Files')}</a></li>

			




	
	
	
		
 
        <li class="${'active' if current == 'showpullrequest' else ''}" data-context="showpullrequest">

			




	
	
	
		
 
          <a href="${h.url('pullrequest_show_all',repo_name=c.repo_name)}" title="${_('Show Pull Requests for %s') % c.repo_name}"> <i class="icon-git-pull-request"></i>${_('Pull Requests')}

			




	
	
	
		
 
            %if c.repository_pull_requests:

			




	
	
	
		
 
              <span class="badge">${c.repository_pull_requests}</span>

			




	
	
	
		
 
            %endif

			




	
	
	
		
 
          </a>

			




	
	
	
		
 
        </li>

			




	
	
	
		
 
        <li class="${'active' if current == 'switch-to' else ''}" data-context="switch-to">

			




	
	
	
		
 
          <input id="branch_switcher" name="branch_switcher" type="hidden">

			




	
	
	
		
 
        </li>

			




	
	
	
		
 
        <li class="${'active' if current == 'options' else ''} dropdown" data-context="options">

			




	
	
	
		
 
             %if h.HasRepoPermissionLevel('admin')(c.repo_name):

			




	
	
	
		
 
               <a href="${h.url('edit_repo',repo_name=c.repo_name)}" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false" aria-haspopup="true"><i class="icon-wrench"></i>${_('Options')} <i class="caret"></i></a>

			




	
	
	
		
 
             %else:

			




	
	
	
		
 
               <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-expanded="false" aria-haspopup="true"><i class="icon-wrench"></i>${_('Options')} <i class="caret"></i></a>

			




	
	
	
		
 
             %endif

			




	
	
	
		
 
          <ul class="dropdown-menu" role="menu" aria-hidden="true">

			




	
	
	
		
 
             %if h.HasRepoPermissionLevel('admin')(c.repo_name):

			




	
	
	
		
 
                   <li><a href="${h.url('edit_repo',repo_name=c.repo_name)}"><i class="icon-gear"></i>${_('Settings')}</a></li>

			




	
	
	
		
 
             %endif

			




	
	
	
		
 
              %if c.db_repo.fork:

			




	
	
	
		
 
               <li><a href="${h.url('compare_url',repo_name=c.db_repo.fork.repo_name,org_ref_type=c.db_repo.landing_rev[0],org_ref_name=c.db_repo.landing_rev[1], other_repo=c.repo_name,other_ref_type='branch' if request.GET.get('branch') else c.db_repo.landing_rev[0],other_ref_name=request.GET.get('branch') or c.db_repo.landing_rev[1], merge=1)}">

			




	
	
	
		
 
                   <i class="icon-git-compare"></i>${_('Compare Fork')}</a></li>

			




	
	
	
		
 
              %endif

			




	
	
	
		
 
              <li><a href="${h.url('compare_home',repo_name=c.repo_name)}"><i class="icon-git-compare"></i>${_('Compare')}</a></li>

			




	
	
	
		
 

			




	
	
	
		
 
              <li><a href="${h.url('search_repo',repo_name=c.repo_name)}"><i class="icon-search"></i>${_('Search')}</a></li>

			




	
	
	
		
 

			




	
	
	
		
 
              %if h.HasRepoPermissionLevel('write')(c.repo_name) and c.db_repo.enable_locking:

			




	
	
	
		
 
                %if c.db_repo.locked[0]:

			




	
	
	
		
 
                  <li><a href="${h.url('toggle_locking', repo_name=c.repo_name)}"><i class="icon-lock"></i>${_('Unlock')}</a></li>

			




	
	
	
		
 
                %else:

			




	
	
	
		
 
                  <li><a href="${h.url('toggle_locking', repo_name=c.repo_name)}"><i class="icon-lock-open-alt"></i>${_('Lock')}</a></li>

			




	
	
	
		
 
                %endif

			




	
	
	
		
 
              %endif

			




	
	
	
		
 
              ## TODO: this check feels wrong, it would be better to have a check for permissions

			




	
	
	
		
 
              ## also it feels like a job for the controller

			




	
	
	
		
 
              %if request.authuser.username != 'default':

			




	
	
	
		
 
                  <li>

			




	
	
	
		
 
                   <a href="#" class="${'following' if c.repository_following else 'follow'}" onclick="toggleFollowingRepo(this, ${c.db_repo.repo_id});">

			




	
	
	
		
 
                    <span class="show-follow"><i class="icon-heart-empty"></i>${_('Follow')}</span>

			




	
	
	
		
 
                    <span class="show-following"><i class="icon-heart"></i>${_('Unfollow')}</span>

			




	
	
	
		
 
                   </a>

			




	
	
	
		
 
                  </li>

			




	
	
	
		
 
                  <li><a href="${h.url('repo_fork_home',repo_name=c.repo_name)}"><i class="icon-git-pull-request"></i>${_('Fork')}</a></li>

			




	
	
	
		
 
                  <li><a href="${h.url('pullrequest_home',repo_name=c.repo_name)}"><i class="icon-git-pull-request"></i>${_('Create Pull Request')}</a></li>

			




	
	
	
		
 
              %endif

			




	
	
	
		
 
             </ul>

			




	
	
	
		
 
        </li>

			




	
	
	
		
 
    </ul>

			




	
	
	
		
 
    </div>

			




	
	
	
		
 
    </div>

			




	
	
	
		
 
  </nav>

			




	
	
	
		
 
  <script type="text/javascript">

			




	
	
	
		
 
    $(document).ready(function() {

			




	
	
	
		
 
      var bcache = {};

			




	
	
	
		
 

			




	
	
	
		
 
      var branch_switcher_placeholder = '<i class="icon-exchange"></i>' + ${h.jshtml(_('Switch To'))} + ' <span class="caret"></span>';

			




	
	
	
		
 
      $("#branch_switcher").select2({

			




	
	
	
		
 
          placeholder: branch_switcher_placeholder,

			




	
	
	
		
 
          dropdownAutoWidth: true,

			




	
	
	
		
 
          sortResults: prefixFirstSort,

			




	
	
	
		
 
          formatResult: function(obj) {

			




	
	
	
		
 
              return obj.text;

			




	
	
	
		
 
              return obj.text.html_escape();

			




	
	
	
		
 
          },

			




	
	
	
		
 
          formatSelection: function(obj) {

			




	
	
	
		
 
              return obj.text;

			




	
	
	
		
 
              return obj.text.html_escape();

			




	
	
	
		
 
          },

			




	
	
	
		
 
          formatNoMatches: function(term) {

			




	
	
	
		
 
              return ${h.jshtml(_('No matches found'))};

			




	
	
	
		
 
          },

			




	
	
	
		
 
          escapeMarkup: function(m) {

			




	
	
	
		
 
              if (m == branch_switcher_placeholder)

			




	
	
	
		
 
                  return branch_switcher_placeholder;

			




	
	
	
		
 
              return Select2.util.escapeMarkup(m);

			




	
	
	
		
 
          },

			




	
	
	
		
 
          containerCssClass: "branch-switcher",

			




	
	
	
		
 
          dropdownCssClass: "repo-switcher-dropdown",

			




	
	
	
		
 
          query: function(query) {

			




	
	
	
		
 
              var key = 'cache';

			




	
	
	
		
 
              var cached = bcache[key];

			




	
	
	
		
 
              if (cached) {

			




	
	
	
		
 
                  var data = {

			




	
	
	
		
 
                      results: []

			




	
	
	
		
 
                  };

			




	
	
	
		
 
                  // filter results

			




	
	
	
		
 
                  $.each(cached.results, function() {

			




	
	
	
		
 
                      var section = this.text;

			




	
	
	
		
 
                      var children = [];

			




	
	
	
		
 
                      $.each(this.children, function() {

			




	
	
	
		
 
                          if (query.term.length === 0 || this.text.toUpperCase().indexOf(query.term.toUpperCase()) >= 0) {

			




	
	
	
		
 
                              children.push({

			




	
	
	
		
 
                                  'id': this.id,

			




	
	
	
		
 
                                  'text': this.text,

			




	
	
	
		
 
                                  'type': this.type,

			




	
	
	
		
 
                                  'obj': this.obj

			




	
	
	
		
 
                              });

			




	
	
	
		
 
                          }

			




	
	
	
		
 
                      });

			




	
	
	
		
 
                      if (children.length !== 0) {

			




	
	
	
		
 
                          data.results.push({

			




	
	
	
		
 
                              'text': section,

			




	
	
	
		
 
                              'children': children

			




	
	
	
		
 
                          });

			




	
	
	
		
 
                      }

			




	
	
	
		
 

			




	
	
	
		
 
                  });

			




	
	
	
		
 
                  query.callback(data);

			




	
	
	
		
 
              } else {

			




	
	
	
		
 
                  $.ajax({

			




	
	
	
		
 
                      url: pyroutes.url('repo_refs_data', {

			




	
	
	
		
 
                          'repo_name': ${h.js(c.repo_name)}

			




	
	
	
		
 
                      }),

			




	
	
	
		
 
                      data: {},

			




	
	
	
		
 
                      dataType: 'json',

			




	
	
	
		
 
                      type: 'GET',

			




	
	
	
		
 
                      success: function(data) {

			




	
	
	
		
 
                          bcache[key] = data;

			




	
	
	
		
 
                          query.callback(data);

			




	
	
	
		
 
                      }

			




	
	
	
		
 
                  });

			




	
	
	
		
 
              }

			




	
	
	
		
 
          }

			




	
	
	
		
 
      });

			




	
	
	
		
 

			




	
	
	
		
 
      $("#branch_switcher").on('select2-selecting', function(e) {

			




	
	
	
		
 
          e.preventDefault();

			




	
	
	
		
 
          var context = $('#context-bar .active').data('context');

			




	
	
	
		
 
          if (context == 'files') {

			




	
	
	
		
 
              window.location = pyroutes.url('files_home', {

			




	
	
	
		
 
                  'repo_name': REPO_NAME,

			




	
	
	
		
 
                  'revision': e.choice.id,

			




	
	
	
		
 
                  'f_path': '',

			




	
	
	
		
 
                  'at': e.choice.text

			




	
	
	
		
 
              });

			




	
	
	
		
 
          } else if (context == 'changelog') {

			




	
	
	
		
 
              if (e.choice.type == 'tag' || e.choice.type == 'book') {

			




	
	
	
		
 
                  $("#branch_filter").append($('<'+'option/>').val(e.choice.text));

			




	
	
	
		
 
              }

			




	
	
	
		
 
              $("#branch_filter").val(e.choice.text).change();

			




	
	
	
		
 
          } else {

			




	
	
	
		
 
              window.location = pyroutes.url('changelog_home', {

			




	
	
	
		
 
                  'repo_name': ${h.js(c.repo_name)},

			




	
	
	
		
 
                  'branch': e.choice.text

			




	
	
	
		
 
              });

			




	
	
	
		
 
          }

			




	
	
	
		
 
      });

			




	
	
	
		
 
    });

			




	
	
	
		
 
  </script>

			




	
	
	
		
 
  <!--- END CONTEXT BAR -->

			




	
	
	
		
 
</%def>

			




	
	
	
		
 

			




	
	
	
		
 
<%def name="menu(current=None)">

			




	
	
	
		
 
  <ul id="quick" class="nav navbar-nav navbar-right">

			




	
	
	
		
 
    <!-- repo switcher -->

			




	
	
	
		
 
    <li class="${'active' if current == 'repositories' else ''}">

			




	
	
	
		
 
      <input id="repo_switcher" name="repo_switcher" type="hidden">

			




	
	
	
		
 
    </li>

			




	
	
	
		
 

			




	
	
	
		
 
    ##ROOT MENU

			




	
	
	
		
 
    %if request.authuser.username != 'default':

			




	
	
	
		
 
      <li class="${'active' if current == 'journal' else ''}">

			




	
	
	
		
 
        <a class="menu_link" title="${_('Show recent activity')}"  href="${h.url('journal')}">

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.