Mercurial > p > roundup > code
annotate website/issues/detectors/newissuecopy.py @ 8356:63390dcfcfe9
bug: fix template use of structure with untrusted data
Looks like an xSS bug with an early version of the template that was
fixed in the code but never in the deployed tracker. It has been a
while since this particular construct has been in the classic template
which is the base for the tracker.
This has been fixed on the deployed tracker as well.
reported by 4bug of ChaMd5 Security Team H1 Group
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 08 Jul 2025 10:23:09 -0400 |
| parents | 35ea9b1efc14 |
| children |
| rev | line source |
|---|---|
|
4354
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1 from roundup import roundupdb |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2 |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
3 def newissuecopy(db, cl, nodeid, oldvalues): |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
4 ''' Copy a message about new issues to a team address. |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
5 ''' |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
6 # so use all the messages in the create |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
7 change_note = cl.generateCreateNote(nodeid) |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
8 |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
9 # send a copy to the nosy list |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
10 for msgid in cl.get(nodeid, 'messages'): |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
11 try: |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
12 # note: last arg must be a list |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
13 cl.send_message(nodeid, msgid, change_note, |
|
5277
b580f61929e2
Removing richard from notification list. Verified that
John Rouillard <rouilj@ieee.org>
parents:
5248
diff
changeset
|
14 ['roundup-devel@lists.sourceforge.net']) |
|
5248
198b6e810c67
Use Python-3-compatible 'as' syntax for except statements
Eric S. Raymond <esr@thyrsus.com>
parents:
4376
diff
changeset
|
15 except roundupdb.MessageSendError as message: |
|
5378
35ea9b1efc14
Python 3 preparation: "raise" syntax.
Joseph Myers <jsm@polyomino.org.uk>
parents:
5277
diff
changeset
|
16 raise roundupdb.DetectorError(message) |
|
4354
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
17 |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
18 def init(db): |
|
81a9eda2a798
I need to know when new issues are created
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
19 db.issue.react('create', newissuecopy) |
|
5277
b580f61929e2
Removing richard from notification list. Verified that
John Rouillard <rouilj@ieee.org>
parents:
5248
diff
changeset
|
20 #SHA: 6ed003c947e1f9df148f8f4500b7c2e68a45229b |