Mercurial > p > roundup > code
comparison roundup/cgi/client.py @ 4851:24b8011cd2dc
Fix XSS in issue2550817
Note that the code that triggers that particular bug is no longer in
roundup core. But the change to the templates we suggest is a *lot*
safer as it always escapes the error and ok messages now.
If you are upgrading: you *MUST* read doc/upgrading.txt and do the
necessary changes to your templates, the escaping now happens in the
template and not in the roundup code. So if you don't make the necessary
changes *you are vulnerable*.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Fri, 20 Dec 2013 18:24:10 +0100 |
| parents | bc4144417861 |
| children | ca692423e401 |
comparison
equal
deleted
inserted
replaced
| 4850:6998ad77841e | 4851:24b8011cd2dc |
|---|---|
| 47 p = security.addPermission(name="Web Roles", | 47 p = security.addPermission(name="Web Roles", |
| 48 description="User may manipulate user Roles through the web") | 48 description="User may manipulate user Roles through the web") |
| 49 security.addPermissionToRole('Admin', p) | 49 security.addPermissionToRole('Admin', p) |
| 50 | 50 |
| 51 def clean_message(msg): | 51 def clean_message(msg): |
| 52 return cgi.escape (msg).replace ('\n', '<br />\n') | 52 """ A multi-line message is now split at line boundaries. |
| 53 The templates will do the right thing to format this message. | |
| 54 Note that we no longer need to escape the message as this is now | |
| 55 taken care of by the template. | |
| 56 """ | |
| 57 return msg.split('\n') | |
| 53 | 58 |
| 54 error_message = ''"""<html><head><title>An error has occurred</title></head> | 59 error_message = ''"""<html><head><title>An error has occurred</title></head> |
| 55 <body><h1>An error has occurred</h1> | 60 <body><h1>An error has occurred</h1> |
| 56 <p>A problem was encountered processing your request. | 61 <p>A problem was encountered processing your request. |
| 57 The tracker maintainers have been notified of the problem.</p> | 62 The tracker maintainers have been notified of the problem.</p> |
| 875 error_message = self.form[key].value | 880 error_message = self.form[key].value |
| 876 error_message = clean_message(error_message) | 881 error_message = clean_message(error_message) |
| 877 | 882 |
| 878 # see if we were passed in a message | 883 # see if we were passed in a message |
| 879 if ok_message: | 884 if ok_message: |
| 880 self.ok_message.append(ok_message) | 885 self.ok_message.extend(ok_message) |
| 881 if error_message: | 886 if error_message: |
| 882 self.error_message.append(error_message) | 887 self.error_message.extend(error_message) |
| 883 | 888 |
| 884 # determine the classname and possibly nodeid | 889 # determine the classname and possibly nodeid |
| 885 path = self.path.split('/') | 890 path = self.path.split('/') |
| 886 if not path or path[0] in ('', 'home', 'index'): | 891 if not path or path[0] in ('', 'home', 'index'): |
| 887 if template_override is not None: | 892 if template_override is not None: |