Mercurial > p > roundup > code
view test/README.txt @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | a86b0c02940d |
| children | 132d450bdc00 |
line wrap: on
line source
A number of tests uses the infrastructure of db_test_base.py grep "from db_test_base" -l *.py benchmark.py session_common.py test_anydbm.py test_indexer.py test_memorydb.py test_mysql.py test_postgresql.py test_security.py test_sqlite.py test_userauditor.py grep "import db_test_base" -l *.py test_cgi.py test_jinja2.py test_mailgw.py test_xmlrpc.py grep "import memory\|from memory" -l *.py test_mailgw.py test_memorydb.py The remaining lines are an 2001 description from Richard, which probably is outdated: Structure of the tests: 1 Test date classes 1.1 Date 1.2 Interval 2 Set up schema 3 Open with specific backend 3.1 anydbm 4 Create database base set (stati, priority, etc) 5 Perform some actions 6 Perform mail import 6.1 text/plain 6.2 multipart/mixed (with one text/plain) 6.3 text/html 6.4 multipart/alternative (with one text/plain) 6.5 multipart/alternative (with no text/plain)