Mercurial > p > roundup > code
view website/issues/extensions/timezone.py @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | 7d8e0dbb0852 |
| children |
line wrap: on
line source
# Utility for replacing the simple input field for the timezone with # a select-field that lists the available values. import cgi try: import pytz except ImportError: pytz = None def tzfield(prop, name, default): if pytz: value = prop.plain() if '' == value: value = default else: try: value = "Etc/GMT%+d" % int(value) except ValueError: pass l = ['<select name="%s">' % name] for zone in pytz.all_timezones: s = ' ' if zone == value: s = 'selected=selected ' z = cgi.escape(zone) l.append('<option %svalue="%s">%s</option>' % (s, z, z)) l.append('</select>') return '\n'.join(l) else: return prop.field() def init(instance): instance.registerUtil('tzfield', tzfield)