kallithea Changeset - a8f2986afc18

Changeset - a8f2986afc18

Parent rev.

Child rev.

[Not reviewed]

stable

0 5 0

Nick High - 11 years ago 2015-04-12 20:46:25
nick@silverchip.org

security: Fix HTML and JavaScript injection.

This fixes CVE-2015-1864

5 files changed with 10 insertions and 10 deletions:

kallithea/controllers/admin/repo_groups.py

kallithea/controllers/admin/user_groups.py

kallithea/controllers/admin/users.py

kallithea/model/repo.py

kallithea/templates/summary/summary.html

0 comments (0 inline, 0 general)

kallithea/controllers/admin/repo_groups.py

➞

Show inline comments

@@ @@ -135,25 +135,25 @@ class RepoGroupsController(BaseControlle @@
             .render(repo_group_id, repo_group_name, gr_count, _=_, h=h, c=c,
                     ungettext=ungettext)
+        )
         for repo_gr in group_iter:
             children_groups = map(h.safe_unicode,
                 itertools.chain((g.name for g in repo_gr.parents),
                                 (x.name for x in [repo_gr])))
             repo_count = repo_gr.repositories.count()
             repo_groups_data.append({
                 "raw_name": repo_gr.group_name,
                 "group_name": repo_group_name(repo_gr.group_name, children_groups),
                 "desc": repo_gr.group_description,
+                "desc": h.escape(repo_gr.group_description),
                 "repos": repo_count,
                 "owner": h.person(repo_gr.user),
                 "action": repo_group_actions(repo_gr.group_id, repo_gr.group_name,
                                              repo_count)
             })
         c.data = json.dumps({
             "totalRecords": total_records,
             "startIndex": 0,
             "sort": None,
             "dir": "asc",
             "records": repo_groups_data

kallithea/controllers/admin/user_groups.py

➞

Show inline comments

@@ @@ -104,25 +104,25 @@ class UserGroupsController(BaseControlle @@
             .render(user_group_id, user_group_name, _=_, h=h, c=c)
+        )
         user_group_actions = lambda user_group_id, user_group_name: (
             template.get_def("user_group_actions")
             .render(user_group_id, user_group_name, _=_, h=h, c=c)
+        )
         for user_gr in group_iter:
             user_groups_data.append({
                 "raw_name": user_gr.users_group_name,
                 "group_name": user_group_name(user_gr.users_group_id,
                                               user_gr.users_group_name),
                 "desc": user_gr.user_group_description,
+                "desc": h.escape(user_gr.user_group_description),
                 "members": len(user_gr.members),
                 "active": h.boolicon(user_gr.users_group_active),
                 "owner": h.person(user_gr.user.username),
                 "action": user_group_actions(user_gr.users_group_id, user_gr.users_group_name)
             })
         c.data = json.dumps({
             "totalRecords": total_records,
             "startIndex": 0,
             "sort": None,
             "dir": "asc",
             "records": user_groups_data

kallithea/controllers/admin/users.py

➞

Show inline comments

@@ @@ -87,26 +87,26 @@ class UsersController(BaseController): @@
                 template.get_def("user_name")
                 .render(user_id, username, _=_, h=h, c=c))
         user_actions = lambda user_id, username: (
                 template.get_def("user_actions")
                 .render(user_id, username, _=_, h=h, c=c))
         for user in c.users_list:
             users_data.append({
                 "gravatar": grav_tmpl % h.gravatar(user.email, size=20),
                 "raw_name": user.username,
                 "username": username(user.user_id, user.username),
                 "firstname": user.name,
                 "lastname": user.lastname,
                 "firstname": h.escape(user.name),
                 "lastname": h.escape(user.lastname),
                 "last_login": h.fmt_date(user.last_login),
                 "last_login_raw": datetime_to_time(user.last_login),
                 "active": h.boolicon(user.active),
                 "admin": h.boolicon(user.admin),
                 "extern_type": user.extern_type,
                 "extern_name": user.extern_name,
                 "action": user_actions(user.user_id, user.username),
             })
         c.data = json.dumps({
             "totalRecords": total_records,
             "startIndex": 0,

kallithea/model/repo.py

➞

Show inline comments

@@ @@ -129,26 +129,26 @@ class RepoModel(BaseModel): @@
         repos = AuthUser(user_id=user.user_id).permissions['repositories']
         access_check = lambda r: r[1] in ['repository.read',
                                           'repository.write',
                                           'repository.admin']
         repos = [x[0] for x in filter(access_check, repos.items())]
         return Repository.query().filter(Repository.repo_name.in_(repos))
     def get_users_js(self):
         users = self.sa.query(User).filter(User.active == True).all()
         return json.dumps([
+            {
                 'id': u.user_id,
                 'fname': u.name,
                 'lname': u.lastname,
                 'fname': h.escape(u.name),
                 'lname': h.escape(u.lastname),
                 'nname': u.username,
                 'gravatar_lnk': h.gravatar_url(u.email, size=28),
                 'gravatar_size': 14,
             } for u in users]
+        )
     def get_user_groups_js(self):
         user_groups = self.sa.query(UserGroup) \
             .filter(UserGroup.users_group_active == True) \
             .options(subqueryload(UserGroup.members)) \
             .all()
         user_groups = UserGroupList(user_groups, perm_set=['usergroup.read',
@@ @@ -201,27 +201,27 @@ class RepoModel(BaseModel): @@
             return _render("rss", repo_name)
         def atom_lnk(repo_name):
             return _render("atom", repo_name)
         def last_rev(repo_name, cs_cache):
             return _render('revision', repo_name, cs_cache.get('revision'),
                            cs_cache.get('raw_id'), cs_cache.get('author'),
                            cs_cache.get('message'))
         def desc(desc):
             if c.visual.stylify_metatags:
                 return h.urlify_text(h.desc_stylize(h.truncate(desc, 60)))
+                return h.urlify_text(h.desc_stylize(h.escape(h.truncate(desc, 60))))
             else:
                 return h.urlify_text(h.truncate(desc, 60))
+                return h.urlify_text(h.escape(h.truncate(desc, 60)))
         def state(repo_state):
             return _render("repo_state", repo_state)
         def repo_actions(repo_name):
             return _render('repo_actions', repo_name, super_user_actions)
         def owner_actions(user_id, username):
             return _render('user_name', user_id, username)
         repos_data = []
         for repo in repos_list:

kallithea/templates/summary/summary.html

➞

Show inline comments

@@ @@ -76,27 +76,27 @@ summary = lambda n:{False:'summary-short @@
                   <input style="width:80%" type="text" id="clone_url" readonly="readonly" value="${c.clone_repo_url}"/>
                   <input style="display:none;width:80%" type="text" id="clone_url_id" readonly="readonly" value="${c.clone_repo_url_id}"/>
                   <div style="display:none" id="clone_by_name" class="btn btn-small">${_('Show by Name')}</div>
                   <div id="clone_by_id" class="btn btn-small">${_('Show by ID')}</div>
                 </div>
             </div>
             <div class="field">
               <div class="label-summary">
                   <label>${_('Description')}:</label>
               </div>
                  %if c.visual.stylify_metatags:
                    <div class="input ${summary(c.show_stats)} desc">${h.urlify_text(h.desc_stylize(c.db_repo.description))}</div>
+                   <div class="input ${summary(c.show_stats)} desc">${h.urlify_text(h.desc_stylize(h.escape(c.db_repo.description)))}</div>
                  %else:
                    <div class="input ${summary(c.show_stats)} desc">${h.urlify_text(c.db_repo.description)}</div>
+                   <div class="input ${summary(c.show_stats)} desc">${h.urlify_text(h.escape(c.db_repo.description))}</div>
                  %endif
             </div>
             <div class="field">
               <div class="label-summary">
                   <label>${_('Trending files')}:</label>
               </div>
               <div class="input ${summary(c.show_stats)}">
                 %if c.show_stats:
                 <div id="lang_stats"></div>
                 %else:
                    ${_('Statistics are disabled for this repository')}

0 comments (0 inline, 0 general)