Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 4880:ca692423e401
Different approach to fix XSS in issue2550817
Encapsulate the error/ok message append method as add_ok_message and
add_error_message. The new approach escapes the messages when appending
-- at a point in the code where we still know where the message comes
from. Escaping is the default but can bei turned off. This also fixes
issue2550836 where certain messages may contain links.
Another advantage of the new fix is that users don't need to change
installed trackers and are secure by default.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Mon, 31 Mar 2014 18:19:23 +0200 |
| parents | 24b8011cd2dc |
| children | 609edf9de0a5 |
comparison
equal
deleted
inserted
replaced
| 4879:302c967d710c | 4880:ca692423e401 |
|---|---|
| 14 .. contents:: | 14 .. contents:: |
| 15 | 15 |
| 16 Migrating from 1.5.0 to 1.5.1 | 16 Migrating from 1.5.0 to 1.5.1 |
| 17 ============================= | 17 ============================= |
| 18 | 18 |
| 19 *Important*: | 19 If you have defined your own cgi actions in your tracker instance |
| 20 There was a security bug fixed in the html templates (an XSS | 20 (e.g. in a custom ``extensions/spambayes.py`` file) you need to modify |
| 21 vulnerability). So if you have a running tracker you will have to fix | 21 all cases where client.error_message or client.ok_message are modified |
| 22 the file ``html/page.html`` in your tracker directory. You need to | 22 directly. Instead of:: |
| 23 *twice* remove the ``structure`` element in the template and modify the | 23 |
| 24 'tal:content' attribute, you need to replace the section:: | 24 self.client.ok_message.append(...) |
| 25 | 25 |
| 26 <td> | 26 you need to call:: |
| 27 <p tal:condition="options/error_message | nothing" class="error-message" | 27 |
| 28 tal:repeat="m options/error_message" | 28 self.client.add_ok_message(...) |
| 29 tal:content="structure string:$m <br/ > " /> | 29 |
| 30 <p tal:condition="options/ok_message | nothing" class="ok-message"> | 30 and the same for:: |
| 31 <span tal:repeat="m options/ok_message" | 31 |
| 32 tal:content="structure string:$m <br/ > " /> | 32 self.client.error_message.append(...) |
| 33 <a class="form-small" tal:attributes="href request/current_url" | 33 |
| 34 i18n:translate="">clear this message</a> | 34 vs.:: |
| 35 </p> | 35 |
| 36 </td> | 36 self.client.add_error_message(...) |
| 37 | 37 |
| 38 with:: | 38 The new calls escape the passed string by default and avoid XSS security |
| 39 | 39 issues. |
| 40 <td> | |
| 41 <p tal:condition="options/error_message | nothing" class="error-message" | |
| 42 tal:repeat="m options/error_message" tal:content="m" /> | |
| 43 <p tal:condition="options/ok_message | nothing" class="ok-message"> | |
| 44 <span tal:repeat="m options/ok_message" tal:content="m" /> | |
| 45 <a class="form-small" tal:attributes="href request/current_url" | |
| 46 i18n:translate="">clear this message</a> | |
| 47 </p> | |
| 48 </td> | |
| 49 | |
| 50 if you are using the new *jinja2* base templates, we are now iterating | |
| 51 over the error- and ok-messages and creating a paragraph for each | |
| 52 message. In addition ``autoescape`` is turned on for the section (which | |
| 53 is the critical security change). | |
| 54 See ``templates/jinja2/html/layout/page.html`` for details. | |
| 55 | |
| 56 | 40 |
| 57 Migrating from 1.4.20 to 1.4.21 | 41 Migrating from 1.4.20 to 1.4.21 |
| 58 =============================== | 42 =============================== |
| 59 | 43 |
| 60 The ``_generic.calendar.html`` page of the instance has been updated to include | 44 The ``_generic.calendar.html`` page of the instance has been updated to include |