Files @ ddad3be4dc44
Branch filter:

Location: kallithea/init.d/kallithea-daemon-arch

ddad3be4dc44 1.3 KiB text/plain Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
changeset: fix XSS vulnerability in parent-child navigation

The 'Parent Rev.' - 'Child Rev.' links on changesets and in the file browser
normally immediately jump to the correct revision upon click. But, if there
are multiple candidates, e.g. two children of a commit, then a list of
revisions is shown as hyperlinks instead.

These hyperlinks have a 'title' attribute containing the full commit message
of the corresponding commit. When this commit message contains characters
special to HTML, like ", >, etc. they were added literally to the HTML code.

This can lead to a cross-site scripting (XSS) vulnerability when an attacker
has write access to a repository. They could craft a special commit message
that would introduce HTML and/or JavaScript code when the commit is listed
in such 'parent-child' navigation links.

Escape the commit message before using it further.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/bin/bash
###########################################
#### THIS IS AN ARCH LINUX RC.D SCRIPT ####
###########################################

. /etc/rc.conf
. /etc/rc.d/functions

DAEMON=kallithea
APP_HOMEDIR="/srv"
APP_PATH="$APP_HOMEDIR/$DAEMON"
CONF_NAME="production.ini"
LOG_FILE="/var/log/$DAEMON.log"
PID_FILE="/run/daemons/$DAEMON"
APPL=/usr/bin/gearbox
RUN_AS="*****"

ARGS="serve --daemon \
--user=$RUN_AS \
--group=$RUN_AS \
--pid-file=$PID_FILE \
--log-file=$LOG_FILE \
-c $APP_PATH/$CONF_NAME"

[ -r /etc/conf.d/$DAEMON ] && . /etc/conf.d/$DAEMON

if [[ -r $PID_FILE ]]; then
    read -r PID < "$PID_FILE"
    if [[ $PID && ! -d /proc/$PID ]]; then
        unset PID
        rm_daemon $DAEMON
    fi
fi

case "$1" in
start)
    stat_busy "Starting $DAEMON"
    export HOME=$APP_PATH
    [ -z "$PID" ] && $APPL $ARGS &>/dev/null
    if [ $? = 0 ]; then
        add_daemon $DAEMON
        stat_done
    else
        stat_fail
        exit 1
    fi
    ;;
stop)
    stat_busy "Stopping $DAEMON"
    [ -n "$PID" ] && kill $PID &>/dev/null
    if [ $? = 0 ]; then
        rm_daemon $DAEMON
        stat_done
    else
        stat_fail
        exit 1
    fi
    ;;
restart)
    $0 stop
    sleep 1
    $0 start
    ;;
status)
    stat_busy "Checking $name status";
    ck_status $name
    ;;
*)
    echo "usage: $0 {start|stop|restart|status}"
esac
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.