Mercurial > p > roundup > code
view roundup/cgi/exceptions.py @ 8356:63390dcfcfe9
bug: fix template use of structure with untrusted data
Looks like an xSS bug with an early version of the template that was
fixed in the code but never in the deployed tracker. It has been a
while since this particular construct has been in the classic template
which is the base for the tracker.
This has been fixed on the deployed tracker as well.
reported by 4bug of ChaMd5 Security Team H1 Group
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 08 Jul 2025 10:23:09 -0400 |
| parents | a1cffeef5f87 |
| children | 700424ba015c |
line wrap: on
line source
"""Exceptions for use in Roundup's web interface. """ __docformat__ = 'restructuredtext' from roundup.exceptions import LoginError, Unauthorised # noqa: F401 from roundup.anypy.html import html_escape from roundup.exceptions import RoundupException class RoundupCGIException(RoundupException): pass class HTTPException(RoundupCGIException): pass class Redirect(HTTPException): pass class NotFound(HTTPException): pass class NotModified(HTTPException): pass class PreconditionFailed(HTTPException): pass class DetectorError(RoundupException): """Raised when a detector throws an exception. Contains details of the exception.""" def __init__(self, subject, html, txt): self.subject = subject self.html = html self.txt = txt BaseException.__init__(self, subject + ' ' + txt) class FormError(ValueError): """An 'expected' exception occurred during form parsing. That is, something we know can go wrong, and don't want to alarm the user with. We trap this at the user interface level and feed back a nice error to the user. """ pass class IndexerQueryError(RoundupException): """Raised to handle errors from FTS searches due to query syntax errors. """ pass class SendFile(RoundupException): """Send a file from the database.""" class SendStaticFile(RoundupException): """Send a static file from the instance html directory.""" class SeriousError(RoundupException): """Raised when we can't reasonably display an error message on a templated page. The exception value will be displayed in the error page, HTML escaped. """ def __str__(self): return """ <html><head><title>Roundup issue tracker: An error has occurred</title> <link rel="stylesheet" type="text/css" href="@@file/style.css"> </head> <body class="body" marginwidth="0" marginheight="0"> <p class="error-message">%s</p> </body></html> """ % html_escape(self.args[0]) # vim: set filetype=python sts=4 sw=4 et si :