Mercurial > p > roundup > code
view detectors/creator_resolution.py @ 8356:63390dcfcfe9
bug: fix template use of structure with untrusted data
Looks like an xSS bug with an early version of the template that was
fixed in the code but never in the deployed tracker. It has been a
while since this particular construct has been in the classic template
which is the base for the tracker.
This has been fixed on the deployed tracker as well.
reported by 4bug of ChaMd5 Security Team H1 Group
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 08 Jul 2025 10:23:09 -0400 |
| parents | 0942fe89e82e |
| children |
line wrap: on
line source
# This detector was written by richard@mechanicalcat.net and it's been # placed in the Public Domain. Copy and modify to your heart's content. from roundup.exceptions import Reject def creator_resolution(db, cl, nodeid, newvalues): '''Catch attempts to set the status to "resolved" - if the assignedto user isn't the creator, then set the status to "in-progress" (try "confirm-done" first though, but "classic" Roundup doesn't have that status) ''' if 'status' not in newvalues: return # get the resolved state ID resolved_id = db.status.lookup('resolved') if newvalues['status'] != resolved_id: return # check the assignedto assignedto = newvalues.get('assignedto', cl.get(nodeid, 'assignedto')) creator = cl.get(nodeid, 'creator') if assignedto == creator: if db.getuid() != creator: name = db.user.get(creator, 'username') raise Reject('Only the creator (%s) may close this issue'%name) return # set the assignedto and status newvalues['assignedto'] = creator try: status = db.status.lookup('confirm-done') except KeyError: status = db.status.lookup('in-progress') newvalues['status'] = status def init(db): db.issue.audit('set', creator_resolution) # vim: set filetype=python ts=4 sw=4 et si