kallithea Changeset - c9bd000a4567

Changeset - c9bd000a4567

Parent rev.

Child rev.

[Not reviewed]

stable

0 1 0

Mads Kiilerich - 7 years ago 2019-02-11 21:36:55
mads@kiilerich.com

templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS

On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).

1 file changed with 1 insertions and 1 deletions:

kallithea/templates/summary/summary.html

0 comments (0 inline, 0 general)

kallithea/templates/summary/summary.html

➞

Show inline comments

@@ @@ -248,97 +248,97 @@ $(document).ready(function(){ @@
         $clone_url.hide();
     });
     var cache = {}
     $("#download_options").select2({
         placeholder: _TM['Select changeset'],
         dropdownAutoWidth: true,
         query: function(query){
           var key = 'cache';
           var cached = cache[key] ;
           if(cached) {
             var data = {results: []};
             //filter results
             $.each(cached.results, function(){
                 var section = this.text;
                 var children = [];
                 $.each(this.children, function(){
                     if(query.term.length == 0 || this.text.toUpperCase().indexOf(query.term.toUpperCase()) >= 0 ){
                         children.push({'id': this.id, 'text': this.text});
+                    }
                 });
                 data.results.push({'text': section, 'children': children});
             });
             query.callback(data);
           }else{
               $.ajax({
                 url: pyroutes.url('repo_refs_data', {'repo_name': '${c.repo_name}'}),
                 data: {},
                 dataType: 'json',
                 type: 'GET',
                 success: function(data) {
                   cache[key] = data;
                   query.callback({results: data.results});
+                }
               });
+          }
+        }
     });
     // on change of download options
     $('#download_options').change(function(e){
        var new_cs = e.added
        for(k in tmpl_links){
            var s = $('#'+k+'_link');
            if(s){
              var title_tmpl = "${_('Download %s as %s') % ('__CS_NAME__','__CS_EXT__')}";
              title_tmpl= title_tmpl.replace('__CS_NAME__',new_cs.text);
              title_tmpl = title_tmpl.replace('__CS_EXT__',k);
              title_tmpl = '<i class="icon-file-zip"></i> '+ title_tmpl;
+             title_tmpl = '<i class="icon-file-zip"></i> '+ title_tmpl.html_escape();
              var url = tmpl_links[k].replace('__CS__',new_cs.id);
              var subrepos = $('#archive_subrepos').is(':checked');
              url = url.replace('__SUB__',subrepos);
              url = url.replace('__NAME__',title_tmpl);
              s.html(url);
+           }
+       }
     });
     var tmpl_links = {};
     %for cnt,archive in enumerate(c.db_repo_scm_instance._get_archives()):
       tmpl_links["${archive['type']}"] = '${h.link_to('__NAME__', h.url('files_archive_home',repo_name=c.db_repo.repo_name, fname='__CS__'+archive['extension'],subrepos='__SUB__'),class_='btn btn-small')}';
     %endfor
 });
 </script>
 %if c.show_stats:
 <script type="text/javascript">
 $(document).ready(function(){
     var data = ${c.trending_languages|n};
     var total = 0;
     var no_data = true;
     var tbl = document.createElement('table');
     tbl.setAttribute('class','trending_language_tbl');
     var cnt = 0;
     for (var i=0;i<data.length;i++){
         total+= data[i][1].count;
+    }
     for (var i=0;i<data.length;i++){
         cnt += 1;
         no_data = false;
         var hide = cnt>2;
         var tr = document.createElement('tr');
         if (hide){
             tr.setAttribute('style','display:none');
             tr.setAttribute('class','stats_hidden');
+        }
         var k = data[i][0];
         var obj = data[i][1];
         var percentage = Math.round((obj.count/total*100),2);
         var td1 = document.createElement('td');
         td1.width = 150;
         var trending_language_label = document.createElement('div');
         trending_language_label.innerHTML = obj.desc+" ("+k+")";
         td1.appendChild(trending_language_label);

0 comments (0 inline, 0 general)