kallithea Files · init.d/celeryd-upstart.conf

Files @ 603f5f7c323d

Branch filter:

Location: kallithea/init.d/celeryd-upstart.conf

603f5f7c323d 904 B text/plain Show Annotation Show as Raw Download as Raw

Thomas De Schampheleire

pullrequests: prevent XSS in 'Potential Reviewers' list when first and last names cannot be trusted

If a user first or last name contains javascript, these fields need proper
escaping to avoid XSS attacks.

An example scenario is:
- the malicious user creates a repository. This will cause this user to be
listed automatically under 'Potential Reviewers' in pull requests.
- another user creates a pull request on that repository and selects the
suggested reviewer from the 'Potential Reviewers' list.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).

Technical note: the other caller of addReviewMember in base.js itself does
_not_ need to be adapted to escape the input values, because the input
values (oData) are _already_ escaped (by the YUI framework).

# celeryd - run the celeryd daemon as an upstart job for kallithea
# Change variables/paths as necessary and place file /etc/init/celeryd.conf
# start/stop/restart as normal upstart job (ie: $ start celeryd)

description	"Celery for Kallithea Mercurial Server"
author		"Matt Zuba <matt.zuba@goodwillaz.org"

start on starting kallithea
stop on stopped kallithea

respawn

umask 0022

env PIDFILE=/tmp/celeryd.pid
env APPINI=/var/hg/kallithea/production.ini
env HOME=/var/hg
env USER=hg
# To use group (if different from user), you must edit sudoers file and change
# root's entry from (ALL) to (ALL:ALL)
# env GROUP=hg

script
    COMMAND="/var/hg/.virtualenvs/kallithea/bin/paster celeryd $APPINI --pidfile=$PIDFILE"
    if [ -z "$GROUP" ]; then
        exec sudo -u $USER $COMMAND
    else
        exec sudo -u $USER -g $GROUP $COMMAND
    fi
end script

post-stop script
    rm -f $PIDFILE
end script