Mercurial > p > roundup > code

diff roundup/cgi/client.py @ 4088:34434785f308

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Plug a number of security holes: - EditCSV and ExportCSV altered to include permission checks - HTTP POST required on actions which alter data - HTML file uploads served as application/octet-stream - New item action reject creation of new users - Item retirement was not being controlled Additionally include documentation of the changes and modify affected tests.
author Richard Jones <richard@users.sourceforge.net>
date Thu, 12 Mar 2009 02:25:03 +0000
parents bbab97f8ffb2
children 3f3f44e3534c
line wrap: on
line diff
--- a/roundup/cgi/client.py	Tue Mar 10 21:01:20 2009 +0000
+++ b/roundup/cgi/client.py	Thu Mar 12 02:25:03 2009 +0000
@@ -853,6 +853,13 @@
 
         mime_type = klass.get(nodeid, 'type')
 
+        # if the mime_type is HTML-ish then make sure we're allowed to serve up
+        # HTML-ish content
+        if mime_type in ('text/html', 'text/x-html'):
+            if not self.instance.config['WEB_ALLOW_HTML_FILE']:
+                # do NOT serve the content up as HTML
+                mime_type = 'application/octet-stream'
+
         # If this object is a file (i.e., an instance of FileClass),
         # see if we can find it in the filesystem.  If so, we may be
         # able to use the more-efficient request.sendfile method of
Roundup Issue Tracker: http://roundup-tracker.org/