Files @ c7728c5736fd
Branch filter:

Location: kallithea/docs/administrator_guide/vcs_setup.rst

c7728c5736fd 1.7 KiB text/prs.fallenstein.rst Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
templates: narrow down scope of webhelpers.html.literal for HTML injection

When using webhelpers.html.literal to inject some explicit HTML code with
some variable data, there are two approaches:
h.literal('some <html> code with %s data' % foobar)
or
h.literal('some <html> code with %s data') % foobar

In the first case, the literal also applies to the contents of variable
'foobar' which may be influenceable by users and thus potentially malicious.
In the second case, this term will be escaped by webhelpers.

See also the documentation:
https://docs.pylonsproject.org/projects/webhelpers/en/latest/modules/html/builder.html#webhelpers.html.builder.literal
"Also, if you add another string to this string, the other string will
be quoted and you will get back another literal object. Also
literal(...) % obj will quote any value(s) from obj."

In files_browser.html, the correction of this scope of literal() also means
that explicit escaping of node.name can be removed. The escaping is now done
automatically by webhelpers as mentioned above.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
.. _vcs_setup:

=============================
Version control systems setup
=============================

Kallithea supports Git and Mercurial repositories out-of-the-box.
For Git, you do need the ``git`` command line client installed on the server.

You can always disable Git or Mercurial support by editing the
file ``kallithea/__init__.py`` and commenting out the backend. For example, to
disable Git but keep Mercurial enabled:

.. code-block:: python

   BACKENDS = {
       'hg': 'Mercurial repository',
       #'git': 'Git repository',
   }


Git-specific setup
------------------


Web server with chunked encoding
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Large Git pushes require an HTTP server with support for
chunked encoding for POST. The Python web servers waitress_ and
gunicorn_ (Linux only) can be used. By default, Kallithea uses
waitress_ for `gearbox serve` instead of the built-in `paste` WSGI
server.

The web server used by gearbox is controlled in the .ini file::

    use = egg:waitress#main

or::

    use = egg:gunicorn#main

Also make sure to comment out the following options::

    threadpool_workers =
    threadpool_max_requests =
    use_threadpool =

Increasing Git HTTP POST buffer size
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If Git pushes fail with HTTP error code 411 (Length Required), you may need to
increase the Git HTTP POST buffer. Run the following command as the user that
runs Kallithea to set a global Git variable to this effect::

    git config --global http.postBuffer 524288000


.. _waitress: http://pypi.python.org/pypi/waitress
.. _gunicorn: http://pypi.python.org/pypi/gunicorn
.. _subrepositories: http://mercurial.aragost.com/kick-start/en/subrepositories/
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.