Mercurial > p > roundup > code
comparison CHANGES.txt @ 4962:63c31b18b955
Fix issue 2550848: HTML attachments should not be served as text/html
This adds whitelist of safe extensions based on analysis of all
committed mime-types to bugs.python.org and issues.roun...org
In future whitelist can be turned off with option
'render_unsafe_content' (like in Trac), but adding this new
feature requires minor version bump.
| author | anatoly techtonik <techtonik@gmail.com> |
|---|---|
| date | Sat, 17 Jan 2015 21:06:04 +0300 |
| parents | 58537764bf77 |
| children | cdfb1a3fb56f |
comparison
equal
deleted
inserted
replaced
| 4961:58537764bf77 | 4962:63c31b18b955 |
|---|---|
| 118 attributes. We now limit this to the username, realname and some | 118 attributes. We now limit this to the username, realname and some |
| 119 further attributes depending on the schema. Note that we no longer | 119 further attributes depending on the schema. Note that we no longer |
| 120 include the email addresses, depending on your installation you may | 120 include the email addresses, depending on your installation you may |
| 121 want to further restrict this or add some attributes like ``address`` | 121 want to further restrict this or add some attributes like ``address`` |
| 122 and ``alternate_addresses``. (Ralf Schlatterbeck) | 122 and ``alternate_addresses``. (Ralf Schlatterbeck) |
| 123 - Security: Attached html files are not shipped as text/html by default, | |
| 124 unless ``allow_html_file`` is specified in the configuration. | |
| 125 Unfortunately some browsers want to be helpful and render other | |
| 126 non-standard content types as html. We now change this to | |
| 127 application/octet-stream whenever 'html' is contained in the string | |
| 128 (case insensitive). Thanks to Kay Hayen for reporting and helping | |
| 129 debug this. (Ralf Schlatterbeck) | |
| 130 - Correctly recreate the database directory when re-initialising a tracker | 123 - Correctly recreate the database directory when re-initialising a tracker |
| 131 instance. (John Kristensen) | 124 instance. (John Kristensen) |
| 132 - In case of an error, date fields would lose the calendar help, fixed. | 125 - In case of an error, date fields would lose the calendar help, fixed. |
| 133 (Ralf Schlatterbeck) | 126 (Ralf Schlatterbeck) |
| 134 - demo.py usage message improved: explains "nuke" now. (Bernhard Reiter) | 127 - demo.py usage message improved: explains "nuke" now. (Bernhard Reiter) |
| 138 (Thomas Arendsen Hein) | 131 (Thomas Arendsen Hein) |
| 139 - Fix broken images in legacy spec.html and original_overview.html, and | 132 - Fix broken images in legacy spec.html and original_overview.html, and |
| 140 restore web presence for "Roundup’s Design Document" (anatoly techtonik) | 133 restore web presence for "Roundup’s Design Document" (anatoly techtonik) |
| 141 - Template jinja2: Updated URL to point to http://www.roundup-tracker.org/ | 134 - Template jinja2: Updated URL to point to http://www.roundup-tracker.org/ |
| 142 (Bernhard Reiter) | 135 (Bernhard Reiter) |
| 136 - Security: Add mime-type whitelist for attachmens that can be safely | |
| 137 rendered from Roundup without trigerring security bugs in browser | |
| 138 plugins, XSS issues and spam. The option ``allow_html_file`` didn't | |
| 139 provide protection for invalid content-type, in which case browser | |
| 140 tried to guess the best one. Thanks to Kay Hayen for reporting and | |
| 141 helping debug this. issue2550848 (Ralf Schlatterbeck, anatoly techtonik) | |
| 142 | |
| 143 | 143 |
| 144 | 144 |
| 145 2013-07-06: 1.5.0 | 145 2013-07-06: 1.5.0 |
| 146 | 146 |
| 147 Features: | 147 Features: |