kallithea Changeset - c9159e6fda04

Changeset - c9159e6fda04

Parent rev.

Child rev.

[Not reviewed]

default

0 6 0

Thomas De Schampheleire - 7 years ago 2019-01-26 20:00:14
thomas.de_schampheleire@nokia.com

cleanup: remove unnecessary (and potentially problematic) use of 'literal'

webhelpers.html.literal (kallithea.lib.helpers.literal) is only needed when
the passed string may contain HTML that needs to be interpreted literally.
It is unnecessary for plain strings.

Incorrect usage of literal can lead to XSS issues, via a malicious user
controlling data which will be rendered in other users' browsers. The data
could either be stored previously in the system or be part of a forged URL
the victim clicks on.

For example, when a user browses to a forged URL where a repository
changeset or branch name contains a javascript snippet, the snippet
was executed when printed on the page using 'literal'.

Remaining uses of 'literal' have been reviewed with no apparent problems
found.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).

6 files changed with 11 insertions and 13 deletions:

kallithea/controllers/changelog.py

kallithea/controllers/pullrequests.py

kallithea/lib/auth.py

kallithea/lib/base.py

kallithea/templates/admin/settings/settings_system_update.html

kallithea/templates/base/default_perms_box.html

0 comments (0 inline, 0 general)

kallithea/controllers/changelog.py

➞

Show inline comments

@@ @@ -61,14 +61,13 @@ class ChangelogController(BaseRepoContro @@
         :param repo: repo instance
         """
         try:
             return c.db_repo_scm_instance.get_changeset(rev)
         except EmptyRepositoryError as e:
             h.flash(h.literal(_('There are no changesets yet')),
                     category='error')
             h.flash(_('There are no changesets yet'), category='error')
         except RepositoryError as e:
             log.error(traceback.format_exc())
             h.flash(safe_str(e), category='error')
         raise HTTPBadRequest()
     @LoginRequired(allow_default_user=True)

kallithea/controllers/pullrequests.py

➞

Show inline comments

@@ @@ -246,13 +246,13 @@ class PullrequestsController(BaseRepoCon @@
     def index(self):
         org_repo = c.db_repo
         org_scm_instance = org_repo.scm_instance
         try:
             org_scm_instance.get_changeset()
         except EmptyRepositoryError as e:
-            h.flash(h.literal(_('There are no changesets yet')),
             h.flash(_('There are no changesets yet'),
                     category='warning')
             raise HTTPFound(location=url('summary_home', repo_name=org_repo.repo_name))
         org_rev = request.GET.get('rev_end')
         # rev_start is not directly useful - its parent could however be used
         # as default for other and thus give a simple compare view

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -731,13 +731,13 @@ def set_available_permissions(config): @@
 def _redirect_to_login(message=None):
     """Return an exception that must be raised. It will redirect to the login
     page which will redirect back to the current URL after authentication.
     The optional message will be shown in a flash message."""
     from kallithea.lib import helpers as h
     if message:
-        h.flash(h.literal(message), category='warning')
         h.flash(message, category='warning')
     p = request.path_qs
     log.debug('Redirecting to login page, origin: %s', p)
     return HTTPFound(location=url('login_home', came_from=p))
 # Use as decorator

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -577,13 +577,13 @@ class BaseRepoController(BaseController) @@
             dbr = c.db_repo = _dbr
             c.db_repo_scm_instance = c.db_repo.scm_instance
             if c.db_repo_scm_instance is None:
                 log.error('%s this repository is present in database but it '
                           'cannot be created as an scm instance', c.repo_name)
                 from kallithea.lib import helpers as h
-                h.flash(h.literal(_('Repository not found in the filesystem')),
                 h.flash(_('Repository not found in the filesystem'),
                         category='error')
                 raise webob.exc.HTTPNotFound()
             # some globals counter for menu
             c.repository_followers = self.scm_model.get_followers(dbr)
             c.repository_forks = self.scm_model.get_forks(dbr)
@@ @@ -599,18 +599,17 @@ class BaseRepoController(BaseController) @@
         from kallithea.lib import helpers as h
         try:
             return repo.scm_instance.get_ref_revision(ref_type, ref_name)
         except EmptyRepositoryError as e:
             if returnempty:
                 return repo.scm_instance.EMPTY_CHANGESET
             h.flash(h.literal(_('There are no changesets yet')),
                     category='error')
             h.flash(_('There are no changesets yet'), category='error')
             raise webob.exc.HTTPNotFound()
         except ChangesetDoesNotExistError as e:
             h.flash(h.literal(_('Changeset for %s %s not found in %s') %
                               (ref_type, ref_name, repo.repo_name)),
             h.flash(_('Changeset for %s %s not found in %s') %
                               (ref_type, ref_name, repo.repo_name),
                     category='error')
             raise webob.exc.HTTPNotFound()
         except RepositoryError as e:
             log.error(traceback.format_exc())
             h.flash(safe_str(e), category='error')
             raise webob.exc.HTTPBadRequest()

kallithea/templates/admin/settings/settings_system_update.html

➞

Show inline comments

@@ @@ -3,13 +3,13 @@ @@
 <div class="alert ${'alert-warning' if c.should_upgrade else 'alert-success'}">
 <p>
 %if c.should_upgrade:
     A <b>new version</b> is available:
     %if c.latest_data.get('title'):
-        <b>${h.literal(c.latest_data['title'])}</b>
         <b>${c.latest_data['title']}</b>
     %else:
         <b>${c.latest_ver}</b>
     %endif
 %else:
     You already have the <b>latest</b> stable version.
 %endif

kallithea/templates/base/default_perms_box.html

➞

Show inline comments

@@ @@ -21,33 +21,33 @@ ${h.form(form_url)} @@
             <div id="inherit_overlay">
             <div class="form-group">
                 <label class="control-label" for="create_repo_perm">${_('Create repositories')}:</label>
                 <div>
                     ${h.checkbox('create_repo_perm',value=True)}
                     <span class="help-block">
-                        ${h.literal(_('Select this option to allow repository creation for this user'))}
                         ${_('Select this option to allow repository creation for this user')}
                     </span>
                 </div>
             </div>
             <div class="form-group">
                 <label class="control-label" for="create_user_group_perm">${_('Create user groups')}:</label>
                 <div>
                     ${h.checkbox('create_user_group_perm',value=True)}
                     <span class="help-block">
-                        ${h.literal(_('Select this option to allow user group creation for this user'))}
                         ${_('Select this option to allow user group creation for this user')}
                     </span>
                 </div>
             </div>
             <div class="form-group">
                 <label class="control-label" for="fork_repo_perm">${_('Fork repositories')}:</label>
                 <div>
                     ${h.checkbox('fork_repo_perm',value=True)}
                     <span class="help-block">
-                        ${h.literal(_('Select this option to allow repository forking for this user'))}
                         ${_('Select this option to allow repository forking for this user')}
                     </span>
                 </div>
             </div>
             </div>

0 comments (0 inline, 0 general)