kallithea Changeset - c9bd000a4567

Changeset - c9bd000a4567

Parent rev.

Child rev.

[Not reviewed]

stable

0 1 0

Mads Kiilerich - 7 years ago 2019-02-11 21:36:55
mads@kiilerich.com

templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS

On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).

1 file changed with 1 insertions and 1 deletions:

kallithea/templates/summary/summary.html

0 comments (0 inline, 0 general)

kallithea/templates/summary/summary.html

➞

Show inline comments

@@ @@ -290,13 +290,13 @@ $(document).ready(function(){ @@
        for(k in tmpl_links){
            var s = $('#'+k+'_link');
            if(s){
              var title_tmpl = "${_('Download %s as %s') % ('__CS_NAME__','__CS_EXT__')}";
              title_tmpl= title_tmpl.replace('__CS_NAME__',new_cs.text);
              title_tmpl = title_tmpl.replace('__CS_EXT__',k);
              title_tmpl = '<i class="icon-file-zip"></i> '+ title_tmpl;
+             title_tmpl = '<i class="icon-file-zip"></i> '+ title_tmpl.html_escape();
              var url = tmpl_links[k].replace('__CS__',new_cs.id);
              var subrepos = $('#archive_subrepos').is(':checked');
              url = url.replace('__SUB__',subrepos);
              url = url.replace('__NAME__',title_tmpl);
              s.html(url);

0 comments (0 inline, 0 general)