Files @ ddad3be4dc44
Branch filter:

Location: kallithea/init.d/kallithea-daemon-gentoo

ddad3be4dc44 1.2 KiB text/plain Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
changeset: fix XSS vulnerability in parent-child navigation

The 'Parent Rev.' - 'Child Rev.' links on changesets and in the file browser
normally immediately jump to the correct revision upon click. But, if there
are multiple candidates, e.g. two children of a commit, then a list of
revisions is shown as hyperlinks instead.

These hyperlinks have a 'title' attribute containing the full commit message
of the corresponding commit. When this commit message contains characters
special to HTML, like ", >, etc. they were added literally to the HTML code.

This can lead to a cross-site scripting (XSS) vulnerability when an attacker
has write access to a repository. They could craft a special commit message
that would introduce HTML and/or JavaScript code when the commit is listed
in such 'parent-child' navigation links.

Escape the commit message before using it further.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/sbin/runscript
########################################
#### THIS IS AN GENTOO INIT.D SCRIPT####
########################################

APP_NAME="kallithea"
APP_HOMEDIR="username/python_workspace"
APP_PATH="/home/$APP_HOMEDIR/$APP_NAME"

CONF_NAME="production.ini"

PID_PATH="$APP_PATH/$APP_NAME.pid"
LOG_PATH="$APP_PATH/$APP_NAME.log"

PYTHON_PATH="/home/$APP_HOMEDIR/v-env"

RUN_AS="username"

DAEMON="$PYTHON_PATH/bin/gearbox"

DAEMON_OPTS="serve --daemon \
--user=$RUN_AS \
--group=$RUN_AS \
--pid-file=$PID_PATH \
--log-file=$LOG_PATH -c $APP_PATH/$CONF_NAME"

#extra options
opts="${opts} restartdelay"

depend() {
    need nginx
}

start() {
    ebegin "Starting $APP_NAME"
    start-stop-daemon -d $APP_PATH -e PYTHON_EGG_CACHE="/tmp" \
        --start --quiet \
        --pidfile $PID_PATH \
        --user $RUN_AS \
        --exec $DAEMON -- $DAEMON_OPTS
    eend $?
}

stop() {
    ebegin "Stopping $APP_NAME"
    start-stop-daemon -d $APP_PATH \
        --stop --quiet \
        --pidfile $PID_PATH || echo "$APP_NAME - Not running!"
    if [ -f $PID_PATH ]; then
        rm $PID_PATH
    fi
    eend $?
}

restartdelay() {
    #stop()
    echo "sleep3"
    sleep 3

    #start()
}
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.