Mercurial > p > roundup > code
view website/issues/html/user.forgotten.html @ 8357:abf1297e7a94
bug(security): fix XSS exploit in devel and responsive templates
Replace all occurances of:
tal:content="structure context/MUMBLE/plain"
with
tal:content="context/MUMBLE/plain"
This seems to have been an old way to handle display of a field when
the user did not have edit rights. It does not occur in current (later
than 2009) classic tracker templates. But probably was unsed in
earlier classic templates since devel, reponsive and the roundup issue
tracker templates were based on classic.
Add CVE placeholder to security.txt and link to fix directions added
to upgrading.txt. Add note in announcement.txt and CHANGES.txt
Add a details element around the table of contents in the upgrading
guide. It was getting long.
Updated a missed XSS issue in the roundup tracker template. Live site
is already fixed.
XSS bug reported by 4bug of ChaMd5 Security Team H1 Group
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 08 Jul 2025 13:38:08 -0400 |
| parents | 53e9694788f5 |
| children |
line wrap: on
line source
<tal:block metal:use-macro="templates/page/macros/icing"> <title metal:fill-slot="head_title" i18n:translate="">Password reset request - <span i18n:name="tracker" tal:replace="config/TRACKER_NAME" /></title> <span metal:fill-slot="body_title" tal:omit-tag="python:1" i18n:translate="">Password reset request</span> <td class="content" metal:fill-slot="content"> <tal:askforinfo tal:condition="python:options['error_message'] or '@action' not in request.form"> <p i18n:translate="">You have two options if you have forgotten your password. If you know the email address you registered with, enter it below.</p> <p i18n:translate="">If your user was automatically created during import from the old sourceforge tracker, your e-mail address is <Sourceforge username>@users.sourceforge.net. The mail address associated with your account can be changed after login.</p> <form method="POST" onSubmit="return submit_once()" tal:attributes="action context/designator"> <table class="form"> <tr> <th i18n:translate="">Email Address:</th> <td><input name="address"></td> </tr> <tr> <td> </td> <td> <input type="hidden" name="@action" value="passrst"> <input type="hidden" name="@template" value="forgotten"> <input type="submit" value="Request password reset" i18n:attributes="value"> <input name="@csrf" type="hidden" tal:attributes="value python:utils.anti_csrf_nonce()"> </td> </tr> </table> <p i18n:translate="">Or, if you know your username, then enter it below.</p> <p i18n:translate="">If you have previously created or modified issue reports in the sourceforge issue tracker, you have an account here with the same username as your sourceforge username.</p> <table class="form"> <tr><th i18n:translate="">Username:</th> <td><input name="username"></td> </tr> <tr><td></td><td><input type="submit" value="Request password reset" i18n:attributes="value"></td></tr> </table> </form> <p i18n:translate="">A confirmation email will be sent to you - please follow the instructions within it to complete the reset process.</p> </tal:askforinfo> </td> g </tal:block>