Mercurial > p > roundup > code
view tools/migrate-queries.py @ 8356:63390dcfcfe9
bug: fix template use of structure with untrusted data
Looks like an xSS bug with an early version of the template that was
fixed in the code but never in the deployed tracker. It has been a
while since this particular construct has been in the classic template
which is the base for the tracker.
This has been fixed on the deployed tracker as well.
reported by 4bug of ChaMd5 Security Team H1 Group
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 08 Jul 2025 10:23:09 -0400 |
| parents | 64b05e24dbd8 |
| children | fed0f839c260 |
line wrap: on
line source
#! /usr/bin/env python ''' migrate-queries <instance-home> [<instance-home> *] Migrate old queries in the specified instances to Roundup 0.6.0+ by removing the leading ? from their URLs. 0.6.0+ queries do not carry a leading ?; it is added by the 0.6.0 templating, so old queries lead to query URLs with a double leading ?? and a consequent 404 Not Found. ''' from __future__ import print_function __author__ = 'James Kew <jkew@mediabright.co.uk>' import sys import roundup.instance if len(sys.argv) == 1: print(__doc__) sys.exit(1) # Iterate over all instance homes specified in argv. for home in sys.argv[1:]: # Do some basic exception handling to catch bad arguments. try: instance = roundup.instance.open(home) except: print('Cannot open instance home directory %s!' % home) continue db = instance.open('admin') db.tx_Source = "cli" print('Migrating active queries in %s (%s):'%( instance.config.TRACKER_NAME, home)) for query in db.query.list(): url = db.query.get(query, 'url') if url[0] == '?': url = url[1:] print(' Migrating query%s (%s)'%(query, db.query.get(query, 'name'))) db.query.set(query, url=url) db.commit() db.close()