Mercurial > p > roundup > code
view roundup/cgi/exceptions.py @ 4851:24b8011cd2dc
Fix XSS in issue2550817
Note that the code that triggers that particular bug is no longer in
roundup core. But the change to the templates we suggest is a *lot*
safer as it always escapes the error and ok messages now.
If you are upgrading: you *MUST* read doc/upgrading.txt and do the
necessary changes to your templates, the escaping now happens in the
template and not in the roundup code. So if you don't make the necessary
changes *you are vulnerable*.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Fri, 20 Dec 2013 18:24:10 +0100 |
| parents | bbab97f8ffb2 |
| children | 65fef7858606 |
line wrap: on
line source
"""Exceptions for use in Roundup's web interface. """ __docformat__ = 'restructuredtext' from roundup.exceptions import LoginError, Unauthorised import cgi class HTTPException(Exception): pass class Redirect(HTTPException): pass class NotFound(HTTPException): pass class NotModified(HTTPException): pass class FormError(ValueError): """An 'expected' exception occurred during form parsing. That is, something we know can go wrong, and don't want to alarm the user with. We trap this at the user interface level and feed back a nice error to the user. """ pass class SendFile(Exception): """Send a file from the database.""" class SendStaticFile(Exception): """Send a static file from the instance html directory.""" class SeriousError(Exception): """Raised when we can't reasonably display an error message on a templated page. The exception value will be displayed in the error page, HTML escaped. """ def __str__(self): return """ <html><head><title>Roundup issue tracker: An error has occurred</title> <link rel="stylesheet" type="text/css" href="@@file/style.css"> </head> <body class="body" marginwidth="0" marginheight="0"> <p class="error-message">%s</p> </body></html> """%cgi.escape(self.args[0]) # vim: set filetype=python sts=4 sw=4 et si :