Mercurial > p > roundup > code

changeset 4585:033a550812fc

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix another XSS with the "otk" parameter. Thanks to Jesse Ruderman for reporting.
author Ralf Schlatterbeck <rsc@runtux.com>
date Tue, 07 Feb 2012 14:39:02 +0100
parents 760483ce731e
children b21bb66de6ff
files CHANGES.txt doc/acknowledgements.txt roundup/backends/sessions_dbm.py roundup/backends/sessions_rdbms.py
diffstat 4 files changed, 9 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES.txt	Mon Jan 30 14:52:14 2012 +0100
+++ b/CHANGES.txt	Tue Feb 07 14:39:02 2012 +0100
@@ -75,6 +75,8 @@
   the patch.
 - Fix override of TemplatingUtils in instance.py, thanks to Cheer Xiao
   for the patch.
+- Fix another XSS with the "otk" parameter, thanks to Jesse Ruderman for
+  reporting. (Ralf)
 
 
 2011-07-15: 1.4.19
--- a/doc/acknowledgements.txt	Mon Jan 30 14:52:14 2012 +0100
+++ b/doc/acknowledgements.txt	Tue Feb 07 14:39:02 2012 +0100
@@ -118,6 +118,7 @@
 Roy Rapoport,
 John P. Rouillard,
 Luke Ross,
+Jesse Ruderman,
 Ollie Rutherfurd,
 Toby Sargeant,
 Giuseppe Scelsi,
--- a/roundup/backends/sessions_dbm.py	Mon Jan 30 14:52:14 2012 +0100
+++ b/roundup/backends/sessions_dbm.py	Tue Feb 07 14:39:02 2012 +0100
@@ -8,6 +8,7 @@
 
 import os, marshal, time
 
+from cgi import escape
 from roundup import hyperdb
 from roundup.i18n import _
 from roundup.anypy.dbm_ import anydbm, whichdb, key_in
@@ -64,7 +65,7 @@
             else:
                 if default != self._marker:
                     return default
-                raise KeyError('No such %s "%s"'%(self.name, infoid))
+                raise KeyError('No such %s "%s"'%(self.name, escape(infoid)))
             return values.get(value, None)
         finally:
             db.close()
@@ -77,7 +78,7 @@
                 del d['__timestamp']
                 return d
             except KeyError:
-                raise KeyError('No such %s "%s"'%(self.name, infoid))
+                raise KeyError('No such %s "%s"'%(self.name, escape(infoid)))
         finally:
             db.close()
 
--- a/roundup/backends/sessions_rdbms.py	Mon Jan 30 14:52:14 2012 +0100
+++ b/roundup/backends/sessions_rdbms.py	Tue Feb 07 14:39:02 2012 +0100
@@ -7,6 +7,7 @@
 __docformat__ = 'restructuredtext'
 
 import os, time
+from cgi import escape
 
 class BasicDatabase:
     ''' Provide a nice encapsulation of an RDBMS table.
@@ -35,7 +36,7 @@
         if not res:
             if default != self._marker:
                 return default
-            raise KeyError('No such %s "%s"'%(self.name, infoid))
+            raise KeyError('No such %s "%s"'%(self.name, escape(infoid)))
         values = eval(res[0])
         return values.get(value, None)
 
@@ -45,7 +46,7 @@
             n, n, self.db.arg), (infoid,))
         res = self.cursor.fetchone()
         if not res:
-            raise KeyError('No such %s "%s"'%(self.name, infoid))
+            raise KeyError('No such %s "%s"'%(self.name, escape (infoid)))
         return eval(res[0])
 
     def set(self, infoid, **newvalues):
Roundup Issue Tracker: http://roundup-tracker.org/