Files @ ddad3be4dc44
Branch filter:

Location: kallithea/docs/usage/debugging.rst

ddad3be4dc44 1.2 KiB text/prs.fallenstein.rst Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
changeset: fix XSS vulnerability in parent-child navigation

The 'Parent Rev.' - 'Child Rev.' links on changesets and in the file browser
normally immediately jump to the correct revision upon click. But, if there
are multiple candidates, e.g. two children of a commit, then a list of
revisions is shown as hyperlinks instead.

These hyperlinks have a 'title' attribute containing the full commit message
of the corresponding commit. When this commit message contains characters
special to HTML, like ", >, etc. they were added literally to the HTML code.

This can lead to a cross-site scripting (XSS) vulnerability when an attacker
has write access to a repository. They could craft a special commit message
that would introduce HTML and/or JavaScript code when the commit is listed
in such 'parent-child' navigation links.

Escape the commit message before using it further.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
.. _debugging:

===================
Debugging Kallithea
===================

If you encounter problems with Kallithea, here are some instructions
on how to debug them.

.. note:: First make sure you're using the latest version available.


Enable detailed debug
---------------------

Kallithea uses the standard Python ``logging`` module to log its output.
By default only loggers with ``INFO`` level are displayed. To enable full output
change ``level = DEBUG`` for all logging handlers in the currently used .ini file.
This change will allow you to see much more detailed output in the log file or
console. This generally helps a lot to track issues.


Enable interactive debug mode
-----------------------------

To enable interactive debug mode simply comment out ``set debug = false`` in
the .ini file. This will trigger an interactive debugger each time
there is an error in the browser, or send a http link if an error occurred in the backend. This
is a great tool for fast debugging as you get a handy Python console right
in the web view.

.. warning:: NEVER ENABLE THIS ON PRODUCTION! The interactive console
             can be a serious security threat to your system.
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.