Mercurial > p > roundup > code
view website/issues/detectors/patches.py @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | 0942fe89e82e |
| children |
line wrap: on
line source
# Auditor for patch files # Patches should be declared as text/plain (also .py files), # independent of what the browser says, and # the "patch" keyword should get set automatically. import posixpath patchtypes = ('.diff', '.patch') sourcetypes = ('.diff', '.patch', '.py') def ispatch(file, types): return posixpath.splitext(file)[1] in types def patches_text_plain(db, cl, nodeid, newvalues): if ispatch(newvalues['name'], sourcetypes): newvalues['type'] = 'text/plain' def patches_keyword(db, cl, nodeid, newvalues): # Check whether there are any new files newfiles = set(newvalues.get('files',())) if nodeid: newfiles -= set(db.issue.get(nodeid, 'files')) # Check whether any of these is a patch newpatch = False for fileid in newfiles: if ispatch(db.file.get(fileid, 'name'), patchtypes): newpatch = True break if newpatch: # Add the patch keyword if its not already there patchid = db.keyword.lookup("patch") oldkeywords = [] if nodeid: oldkeywords = db.issue.get(nodeid, 'keywords') if patchid in oldkeywords: # This is already marked as a patch return if 'keywords' not in newvalues: newvalues['keywords'] = oldkeywords newvalues['keywords'].append(patchid) def init(db): db.file.audit('create', patches_text_plain) db.issue.audit('create', patches_keyword) db.issue.audit('set', patches_keyword)