Files @ c7728c5736fd
Branch filter:

Location: kallithea/setup.py

c7728c5736fd 4.8 KiB text/x-python Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
templates: narrow down scope of webhelpers.html.literal for HTML injection

When using webhelpers.html.literal to inject some explicit HTML code with
some variable data, there are two approaches:
h.literal('some <html> code with %s data' % foobar)
or
h.literal('some <html> code with %s data') % foobar

In the first case, the literal also applies to the contents of variable
'foobar' which may be influenceable by users and thus potentially malicious.
In the second case, this term will be escaped by webhelpers.

See also the documentation:
https://docs.pylonsproject.org/projects/webhelpers/en/latest/modules/html/builder.html#webhelpers.html.builder.literal
"Also, if you add another string to this string, the other string will
be quoted and you will get back another literal object. Also
literal(...) % obj will quote any value(s) from obj."

In files_browser.html, the correction of this scope of literal() also means
that explicit escaping of node.name can be removed. The escaping is now done
automatically by webhelpers as mentioned above.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
import os
import sys
import platform

if sys.version_info < (2, 6) or sys.version_info >= (3,):
    raise Exception('Kallithea requires python 2.6 or 2.7')


here = os.path.abspath(os.path.dirname(__file__))


def _get_meta_var(name, data, callback_handler=None):
    import re
    matches = re.compile(r'(?:%s)\s*=\s*(.*)' % name).search(data)
    if matches:
        if not callable(callback_handler):
            callback_handler = lambda v: v

        return callback_handler(eval(matches.groups()[0]))

_meta = open(os.path.join(here, 'kallithea', '__init__.py'), 'rb')
_metadata = _meta.read()
_meta.close()

callback = lambda V: ('.'.join(map(str, V[:3])) + '.'.join(V[3:]))
__version__ = _get_meta_var('VERSION', _metadata, callback)
__license__ = _get_meta_var('__license__', _metadata)
__author__ = _get_meta_var('__author__', _metadata)
__url__ = _get_meta_var('__url__', _metadata)
# defines current platform
__platform__ = platform.system()

is_windows = __platform__ in ['Windows']

requirements = [
    "alembic >= 0.8.0, < 1.1",
    "gearbox < 1",
    "waitress >= 0.8.8, < 1.2",
    "WebOb >= 1.7, < 1.8", # turbogears2 2.3.12 requires WebOb<1.8.0
    "backlash >= 0.1.2, < 1",
    "TurboGears2 >= 2.3.10, < 2.4",
    "tgext.routes >= 0.2.0, < 1",
    "Beaker >= 1.7.0, < 2",
    "WebHelpers >= 1.3, < 1.4",
    "FormEncode >= 1.2.4, < 1.4",
    "SQLAlchemy >= 1.1, < 1.3",
    "Mako >= 0.9.0, < 1.1",
    "Pygments >= 2.0, < 2.3",
    "Whoosh >= 2.5.0, < 2.8",
    "celery >= 3.1, < 4.0", # celery 4 doesn't work
    "Babel >= 1.3, < 2.7",
    "python-dateutil >= 1.5.0, < 2.8",
    "Markdown >= 2.2.1, < 2.7",
    "docutils >= 0.11, < 0.15",
    "URLObject >= 2.3.4, < 2.5",
    "Routes >= 1.13, < 2",
    "dulwich >= 0.14.1, < 0.20",
    "mercurial >= 4.1.1, < 4.10",
    "decorator >= 3.3.2, < 4.4",
    "Paste >= 2.0.3, < 3.1",
    "bleach >= 3.0, < 3.1",
    "Click >= 7.0, < 8",
]

if sys.version_info < (2, 7):
    requirements.append("importlib == 1.0.1")
    requirements.append("argparse")

if not is_windows:
    requirements.append("bcrypt >= 3.1.0, < 3.2")

dependency_links = [
]

classifiers = [
    'Development Status :: 4 - Beta',
    'Environment :: Web Environment',
    'Framework :: Pylons',
    'Intended Audience :: Developers',
    'License :: OSI Approved :: GNU General Public License (GPL)',
    'Operating System :: OS Independent',
    'Programming Language :: Python',
    'Programming Language :: Python :: 2.6',
    'Programming Language :: Python :: 2.7',
    'Topic :: Software Development :: Version Control',
]


# additional files from project that goes somewhere in the filesystem
# relative to sys.prefix
data_files = []

description = ('Kallithea is a fast and powerful management tool '
               'for Mercurial and Git with a built in push/pull server, '
               'full text search and code-review.')

keywords = ' '.join([
    'kallithea', 'mercurial', 'git', 'code review',
    'repo groups', 'ldap', 'repository management', 'hgweb replacement',
    'hgwebdir', 'gitweb replacement', 'serving hgweb',
])

# long description
README_FILE = 'README.rst'
try:
    long_description = open(README_FILE).read()
except IOError as err:
    sys.stderr.write(
        "[WARNING] Cannot find file specified as long_description (%s)\n"
        % README_FILE
    )
    long_description = description

import setuptools

# monkey patch setuptools to use distutils owner/group functionality
from setuptools.command import sdist
sdist_org = sdist.sdist
class sdist_new(sdist_org):
    def initialize_options(self):
        sdist_org.initialize_options(self)
        self.owner = self.group = 'root'
sdist.sdist = sdist_new

packages = setuptools.find_packages(exclude=['ez_setup'])

setuptools.setup(
    name='Kallithea',
    version=__version__,
    description=description,
    long_description=long_description,
    keywords=keywords,
    license=__license__,
    author=__author__,
    author_email='kallithea@sfconservancy.org',
    dependency_links=dependency_links,
    url=__url__,
    install_requires=requirements,
    classifiers=classifiers,
    data_files=data_files,
    packages=packages,
    include_package_data=True,
    message_extractors={'kallithea': [
            ('**.py', 'python', None),
            ('templates/**.mako', 'mako', {'input_encoding': 'utf-8'}),
            ('templates/**.html', 'mako', {'input_encoding': 'utf-8'}),
            ('public/**', 'ignore', None)]},
    zip_safe=False,
    entry_points="""
    [console_scripts]
    kallithea-api =    kallithea.bin.kallithea_api:main
    kallithea-gist =   kallithea.bin.kallithea_gist:main
    kallithea-config = kallithea.bin.kallithea_config:main
    kallithea-cli =    kallithea.bin.kallithea_cli:cli

    [paste.app_factory]
    main = kallithea.config.middleware:make_app
    """,
)
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.