Mercurial > p > roundup > code
view website/issues/detectors/newissuecopy.py @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | 35ea9b1efc14 |
| children |
line wrap: on
line source
from roundup import roundupdb def newissuecopy(db, cl, nodeid, oldvalues): ''' Copy a message about new issues to a team address. ''' # so use all the messages in the create change_note = cl.generateCreateNote(nodeid) # send a copy to the nosy list for msgid in cl.get(nodeid, 'messages'): try: # note: last arg must be a list cl.send_message(nodeid, msgid, change_note, ['roundup-devel@lists.sourceforge.net']) except roundupdb.MessageSendError as message: raise roundupdb.DetectorError(message) def init(db): db.issue.react('create', newissuecopy) #SHA: 6ed003c947e1f9df148f8f4500b7c2e68a45229b