Files @ 429c2c8a4354
Branch filter:

Location: kallithea/init.d/kallithea-daemon-debian

429c2c8a4354 1.7 KiB text/plain Show Annotation Show as Raw Download as Raw
Mads Kiilerich
pullrequests: prevent XSS in @mention completion when first and last names cannot be trusted

atwho used in MentionsAutoComplete is passing raw user controlled data which
might contain HTML markup.

That could cause XSS issues when completion hit a rogue user name.

To avoid that, make sure displayTpl always escape user information, as
recommended in https://github.com/ichord/At.js/issues/334 .
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#!/bin/sh -e
########################################
#### THIS IS A DEBIAN INIT.D SCRIPT ####
########################################

### BEGIN INIT INFO
# Provides:          kallithea
# Required-Start:    $all
# Required-Stop:     $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts instance of kallithea
# Description:       starts instance of kallithea using start-stop-daemon
### END INIT INFO

APP_NAME="kallithea"
APP_HOMEDIR="opt"
APP_PATH="/$APP_HOMEDIR/$APP_NAME"

CONF_NAME="production.ini"

PID_PATH="$APP_PATH/$APP_NAME.pid"
LOG_PATH="$APP_PATH/$APP_NAME.log"

PYTHON_PATH="/$APP_HOMEDIR/$APP_NAME-venv"

RUN_AS="root"

DAEMON="$PYTHON_PATH/bin/gearbox"

DAEMON_OPTS="serve --daemon \
 --user=$RUN_AS \
 --group=$RUN_AS \
 --pid-file=$PID_PATH \
 --log-file=$LOG_PATH -c $APP_PATH/$CONF_NAME"


start() {
  echo "Starting $APP_NAME"
  PYTHON_EGG_CACHE="/tmp" start-stop-daemon -d $APP_PATH \
      --start --quiet \
      --pidfile $PID_PATH \
      --user $RUN_AS \
      --exec $DAEMON -- $DAEMON_OPTS
}

stop() {
  echo "Stopping $APP_NAME"
  start-stop-daemon -d $APP_PATH \
      --stop --quiet \
      --pidfile $PID_PATH || echo "$APP_NAME - Not running!"

  if [ -f $PID_PATH ]; then
    rm $PID_PATH
  fi
}

status() {
  echo -n "Checking status of $APP_NAME ... "
  pid=`cat $PID_PATH`
  status=`ps ax | grep $pid | grep -ve grep`
  if [ "$?" -eq 0 ]; then
    echo "running"
  else
    echo "NOT running"
  fi
}

case "$1" in
  status)
   status
    ;;
  start)
    start
    ;;
  stop)
    stop
    ;;
  restart)
    echo "Restarting $APP_NAME"
    ### stop ###
    stop
    wait
    ### start ###
    start
    ;;
  *)
    echo "Usage: $0 {start|stop|restart}"
    exit 1
esac
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.