kallithea Files · init.d/celeryd-upstart.conf

Files @ b9b719fb4774

Branch filter:

Location: kallithea/init.d/celeryd-upstart.conf

b9b719fb4774 932 B text/plain Show Annotation Show as Raw Download as Raw

Thomas De Schampheleire

search: fix XSS vulnerability in search results

The search feature did not correctly escape all arguments when displaying
search matches and linking to the corresponding files.

An attacker that can control the contents of a repository could thus cause
a cross-site scripting (XSS) vulnerability.

Fix the problem by removing the overall h.literal call that is only needed
for the HTML entity » and splitting the link instead.

We take the opportunity to improving the destination of the part before
» which is the path to the repository. Instead of pointing to the
search result, point to the repository itself.
The part after » remains linked to the file containing the search
match.

Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).

# celeryd - run the celeryd daemon as an upstart job for kallithea
# Change variables/paths as necessary and place file /etc/init/celeryd.conf
# start/stop/restart as normal upstart job (ie: $ start celeryd)

description     "Celery for Kallithea Mercurial Server"
author          "Matt Zuba <matt.zuba@goodwillaz.org"

start on starting kallithea
stop on stopped kallithea

respawn

umask 0022

env PIDFILE=/tmp/celeryd.pid
env APPINI=/var/hg/kallithea/production.ini
env HOME=/var/hg
env USER=hg
# To use group (if different from user), you must edit sudoers file and change
# root's entry from (ALL) to (ALL:ALL)
# env GROUP=hg

script
    COMMAND="/var/hg/.virtualenvs/kallithea/bin/kallithea-cli celery-run -c $APPINI -- --pidfile=$PIDFILE"
    if [ -z "$GROUP" ]; then
        exec sudo -u $USER $COMMAND
    else
        exec sudo -u $USER -g $GROUP $COMMAND
    fi
end script

post-stop script
    rm -f $PIDFILE
end script