Mercurial > p > roundup > code
view website/issues/initial_data.py @ 8356:63390dcfcfe9
bug: fix template use of structure with untrusted data
Looks like an xSS bug with an early version of the template that was
fixed in the code but never in the deployed tracker. It has been a
while since this particular construct has been in the classic template
which is the base for the tracker.
This has been fixed on the deployed tracker as well.
reported by 4bug of ChaMd5 Security Team H1 Group
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 08 Jul 2025 10:23:09 -0400 |
| parents | c2d0d3e9099d |
| children |
line wrap: on
line source
from roundup.password import Password # # TRACKER INITIAL PRIORITY AND STATUS VALUES # issue_type = db.getclass('issue_type') issue_type.create(name='crash', order='1') issue_type.create(name='compile error', order='2') issue_type.create(name='resource usage', order='3') issue_type.create(name='security', order='4') issue_type.create(name='behavior', order='5') issue_type.create(name='rfe', order='6') component = db.getclass('component') #component.create(name="any", order="1") #component.create(name="3rd party modifications", order="2") #component.create(name="command-line interface", order="3") #component.create(name="database", order="4") #component.create(name="documentation", order="5") #component.create(name="installation", order="6") #component.create(name="mail interface", order="7") #component.create(name="web interface", order="8") version = db.getclass('version') version.create(name='devel', order='1') version.create(name='1.0', order='2') version.create(name='1.1', order='3') version.create(name='1.2', order='4') version.create(name='1.3', order='5') version.create(name='1.4', order='6') severity = db.getclass('severity') severity.create(name='critical', order='1') severity.create(name='urgent', order='2') severity.create(name='major', order='3') severity.create(name='normal', order='4') severity.create(name='minor', order='5') priority = db.getclass('priority') priority.create(name='immediate', order='1') priority.create(name='urgent', order='2') priority.create(name='high', order='3') priority.create(name='normal', order='4') priority.create(name='low', order='5') status = db.getclass('status') status.create(name = "new", order = "1") status.create(name='open', order='2') status.create(name='closed', order='3') status.create(name='pending', description='user feedback required', order='4') resolution = db.getclass('resolution') resolution.create(name='accepted', order='1') resolution.create(name='duplicate', order='2') resolution.create(name='fixed', order='3') resolution.create(name='invalid', order='4') resolution.create(name='later', order='5') resolution.create(name='out of date', order='6') resolution.create(name='postponed', order='7') resolution.create(name='rejected', order='8') resolution.create(name='remind', order='9') resolution.create(name='wont fix', order='10') resolution.create(name='works for me', order='11') keyword = db.getclass("keyword") keyword.create(name="patch", description="Contains patch") # # create the two default users user = db.getclass('user') user.create(username="admin", password=adminpw, address=admin_email, roles='Admin') user.create(username="anonymous", roles='Anonymous')