Changeset - ddad3be4dc44
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Thomas De Schampheleire - 7 years ago 2019-04-19 20:54:46
thomas.de_schampheleire@nokia.com
changeset: fix XSS vulnerability in parent-child navigation

The 'Parent Rev.' - 'Child Rev.' links on changesets and in the file browser
normally immediately jump to the correct revision upon click. But, if there
are multiple candidates, e.g. two children of a commit, then a list of
revisions is shown as hyperlinks instead.

These hyperlinks have a 'title' attribute containing the full commit message
of the corresponding commit. When this commit message contains characters
special to HTML, like ", >, etc. they were added literally to the HTML code.

This can lead to a cross-site scripting (XSS) vulnerability when an attacker
has write access to a repository. They could craft a special commit message
that would introduce HTML and/or JavaScript code when the commit is listed
in such 'parent-child' navigation links.

Escape the commit message before using it further.
1 file changed with 1 insertions and 1 deletions:
kallithea/public/js/base.js
1
1
0 comments (0 inline, 0 general)
kallithea/public/js/base.js
Show inline comments
 
@@ -1484,25 +1484,25 @@ var activate_parent_child_links = functi
 
                    }
 
                    else if(data.results.length > 1){
 
                        $this.addClass('disabled');
 
                        $this.addClass('double');
 
                        var template =
 
                            ($this.data('linktype') == 'parent' ? '<i class="icon-left-open"/> ' : '') +
 
                            '<a title="__title__" href="__url__">__rev__</a>' +
 
                            ($this.data('linktype') == 'child' ? ' <i class="icon-right-open"/>' : '');
 
                        var _html = [];
 
                        for(var i = 0; i < data.results.length; i++){
 
                            _html.push(template
 
                                .replace('__rev__', 'r{0}:{1}'.format(data.results[i].revision, data.results[i].raw_id.substr(0, 6)))
 
                                .replace('__title__', data.results[i].message)
 
                                .replace('__title__', data.results[i].message.html_escape())
 
                                .replace('__url__', pyroutes.url('changeset_home', {
 
                                    'repo_name': repo_name,
 
                                    'revision': data.results[i].raw_id}))
 
                                );
 
                        }
 
                        $this.html(_html.join('<br/>'));
 
                    }
 
                }
 
            });
 
        e.preventDefault();
 
        }
 
    });
0 comments (0 inline, 0 general)
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.