Mercurial > p > roundup > code
changeset 3971:ff3a8b7d1819 1.4.4
security fixes
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Sat, 01 Mar 2008 08:18:07 +0000 |
| parents | c5376b2f7bbf |
| children | eee76dd4a09f |
| files | CHANGES.txt doc/announcement.txt doc/index.txt roundup/__init__.py roundup/cgi/templating.py setup.py templates/classic/html/_generic.help-list.html templates/classic/html/_generic.help.html templates/classic/html/page.html templates/minimal/html/_generic.help.html templates/minimal/html/page.html |
| diffstat | 11 files changed, 41 insertions(+), 34 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Wed Feb 27 20:57:56 2008 +0000 +++ b/CHANGES.txt Sat Mar 01 08:18:07 2008 +0000 @@ -1,6 +1,11 @@ This file contains the changes to the Roundup system over time. The entries are given with the most recent entry first. +2008-03-01 1.4.4 +Fixed: +- Security fixes (thanks Roland Meister) + + 2008-02-27 1.4.3 Fixed: - MySQL backend bug introduced in 1.4.2 (TEXT columns need a size when
--- a/doc/announcement.txt Wed Feb 27 20:57:56 2008 +0000 +++ b/doc/announcement.txt Sat Mar 01 08:18:07 2008 +0000 @@ -1,8 +1,7 @@ -I'm proud to release version 1.4.3 of Roundup. +I'm proud to release version 1.4.4 of Roundup. -Just one bug was fixed in 1.4.3: - -- MySQL backend bug introduced in 1.4.2 +1.4.4 is a security fix release. All installations of Roundup are strongly +encouraged to update. If you're upgrading from an older version of Roundup you *must* follow the "Software Upgrade" guidelines given in the maintenance documentation.
--- a/doc/index.txt Wed Feb 27 20:57:56 2008 +0000 +++ b/doc/index.txt Sat Mar 01 08:18:07 2008 +0000 @@ -130,6 +130,7 @@ Georges Martin, Gordon McMillan, John F Meinel Jr, +Roland Meister, Ulrik Mikaelsson, John Mitchell, Ramiro Morales,
--- a/roundup/__init__.py Wed Feb 27 20:57:56 2008 +0000 +++ b/roundup/__init__.py Sat Mar 01 08:18:07 2008 +0000 @@ -15,7 +15,7 @@ # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE, # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. # -# $Id: __init__.py,v 1.50 2008-02-27 08:32:50 richard Exp $ +# $Id: __init__.py,v 1.51 2008-03-01 08:18:06 richard Exp $ '''Roundup - issue tracking for knowledge workers. @@ -68,6 +68,6 @@ ''' __docformat__ = 'restructuredtext' -__version__ = '1.4.3' +__version__ = '1.4.4' # vim: set filetype=python ts=4 sw=4 et si
--- a/roundup/cgi/templating.py Wed Feb 27 20:57:56 2008 +0000 +++ b/roundup/cgi/templating.py Sat Mar 01 08:18:07 2008 +0000 @@ -878,7 +878,7 @@ prop = self[prop_n] if not isinstance(prop, HTMLProperty): continue - current[prop_n] = prop.plain() + current[prop_n] = prop.plain(escape=1) # make link if hrefable if (self._props.has_key(prop_n) and isinstance(self._props[prop_n], hyperdb.Link)): @@ -979,6 +979,7 @@ if labelprop is not None and \ labelprop != 'id': label = linkcl.get(linkid, labelprop) + label = cgi.escape(label) except IndexError: comments['no_link'] = self._( "<strike>The linked node" @@ -1002,7 +1003,8 @@ # there's no labelprop! if labelprop is not None and labelprop != 'id': try: - label = linkcl.get(args[k], labelprop) + label = cgi.escape(linkcl.get(args[k], + labelprop)) except IndexError: comments['no_link'] = self._( "<strike>The linked node" @@ -1012,7 +1014,8 @@ label = None if label is not None: if hrefable: - old = '<a href="%s%s">%s</a>'%(classname, args[k], label) + old = '<a href="%s%s">%s</a>'%(classname, + args[k], label) else: old = label; cell.append('%s: %s' % (self._(k), old)) @@ -1369,7 +1372,7 @@ If not editable, just display the value via plain(). """ if not self.is_edit_ok(): - return self.plain() + return self.plain(escape=1) value = self._value if value is None: @@ -1423,7 +1426,7 @@ return value class PasswordHTMLProperty(HTMLProperty): - def plain(self): + def plain(self, escape=0): """ Render a "plain" representation of the property """ if not self.is_view_ok(): @@ -1439,7 +1442,7 @@ If not editable, just display the value via plain(). """ if not self.is_edit_ok(): - return self.plain() + return self.plain(escape=1) return self.input(type="password", name=self._formname, size=size) @@ -1459,7 +1462,7 @@ size=size) class NumberHTMLProperty(HTMLProperty): - def plain(self): + def plain(self, escape=0): """ Render a "plain" representation of the property """ if not self.is_view_ok(): @@ -1476,7 +1479,7 @@ If not editable, just display the value via plain(). """ if not self.is_edit_ok(): - return self.plain() + return self.plain(escape=1) value = self._value if value is None: @@ -1496,7 +1499,7 @@ class BooleanHTMLProperty(HTMLProperty): - def plain(self): + def plain(self, escape=0): """ Render a "plain" representation of the property """ if not self.is_view_ok(): @@ -1512,7 +1515,7 @@ If not editable, just display the value via plain(). """ if not self.is_edit_ok(): - return self.plain() + return self.plain(escape=1) value = self._value if isinstance(value, str) or isinstance(value, unicode): @@ -1549,7 +1552,7 @@ if self._offset is None : self._offset = self._prop.offset (self._db) - def plain(self): + def plain(self, escape=0): """ Render a "plain" representation of the property """ if not self.is_view_ok(): @@ -1600,7 +1603,7 @@ """ if not self.is_edit_ok(): if format is self._marker: - return self.plain() + return self.plain(escape=1) else: return self.pretty(format) @@ -1720,7 +1723,7 @@ if self._value and not isinstance(self._value, (str, unicode)): self._value.setTranslator(self._client.translator) - def plain(self): + def plain(self, escape=0): """ Render a "plain" representation of the property """ if not self.is_view_ok(): @@ -1744,7 +1747,7 @@ If not editable, just display the value via plain(). """ if not self.is_edit_ok(): - return self.plain() + return self.plain(escape=1) value = self._value if value is None: @@ -1806,7 +1809,7 @@ If not editable, just display the value via plain(). """ if not self.is_edit_ok(): - return self.plain() + return self.plain(escape=1) # edit field linkcl = self._db.getclass(self._prop.classname) @@ -1842,7 +1845,7 @@ If not editable, just display the value via plain(). """ if not self.is_edit_ok(): - return self.plain() + return self.plain(escape=1) if value is None: value = self._value @@ -1999,7 +2002,7 @@ If not editable, just display the value via plain(). """ if not self.is_edit_ok(): - return self.plain() + return self.plain(escape=1) linkcl = self._db.getclass(self._prop.classname) value = self._value[:] @@ -2034,7 +2037,7 @@ If not editable, just display the value via plain(). """ if not self.is_edit_ok(): - return self.plain() + return self.plain(escape=1) if value is None: value = self._value
--- a/setup.py Wed Feb 27 20:57:56 2008 +0000 +++ b/setup.py Sat Mar 01 08:18:07 2008 +0000 @@ -16,7 +16,7 @@ # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE, # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. # -# $Id: setup.py,v 1.101 2008-02-27 20:57:56 richard Exp $ +# $Id: setup.py,v 1.102 2008-03-01 08:18:06 richard Exp $ from distutils.core import setup, Extension from distutils.util import get_platform @@ -352,9 +352,8 @@ '''In this release =============== -Just one bug was fixed in 1.4.3: - -- MySQL backend bug introduced in 1.4.2 +1.4.4 is a security fix release. All installations of Roundup are strongly +encouraged to update. If you're upgrading from an older version of Roundup you *must* follow the "Software Upgrade" guidelines given in the maintenance documentation.
--- a/templates/classic/html/_generic.help-list.html Wed Feb 27 20:57:56 2008 +0000 +++ b/templates/classic/html/_generic.help-list.html Sat Mar 01 08:18:07 2008 +0000 @@ -1,4 +1,4 @@ -<!-- $Id: _generic.help-list.html,v 1.1 2006-09-18 00:03:02 tobias-herp Exp $ vim: sw=2 ts=8 et +<!-- $Id: _generic.help-list.html,v 1.2 2008-03-01 08:18:07 richard Exp $ vim: sw=2 ts=8 et --><html tal:define="vok context/is_view_ok"> <head> <title>Search result for user helper</title> @@ -64,7 +64,7 @@ <td tal:repeat="prop props"> <label class="classhelp-label" tal:attributes="for string:id_$attr" - tal:content="structure python:item[prop]"></label> + tal:content="python:item[prop]"></label> </td> </tal:block> </tr>
--- a/templates/classic/html/_generic.help.html Wed Feb 27 20:57:56 2008 +0000 +++ b/templates/classic/html/_generic.help.html Sat Mar 01 08:18:07 2008 +0000 @@ -83,7 +83,7 @@ <td tal:repeat="prop props"> <label class="classhelp-label" tal:attributes="for string:id_$attr" - tal:content="structure python:item[prop]"></label> + tal:content="python:item[prop]"></label> </td> </tal:block> </tr>
--- a/templates/classic/html/page.html Wed Feb 27 20:57:56 2008 +0000 +++ b/templates/classic/html/page.html Sat Mar 01 08:18:07 2008 +0000 @@ -144,7 +144,7 @@ <p class="userblock" tal:condition="python:request.user.username != 'anonymous'"> <b i18n:translate="">Hello, <span i18n:name="user" - tal:replace="request/user/username">username</span></b><br> + tal:replace="python:request.user.username.plain(escape=1)">username</span></b><br> <a href="#" tal:attributes="href python:request.indexargs_url('issue', { '@sort': '-activity',
--- a/templates/minimal/html/_generic.help.html Wed Feb 27 20:57:56 2008 +0000 +++ b/templates/minimal/html/_generic.help.html Sat Mar 01 08:18:07 2008 +0000 @@ -83,7 +83,7 @@ <td tal:repeat="prop props"> <label class="classhelp-label" tal:attributes="for string:id_$attr" - tal:content="structure python:item[prop]"></label> + tal:content="python:item[prop]"></label> </td> </tal:block> </tr>
--- a/templates/minimal/html/page.html Wed Feb 27 20:57:56 2008 +0000 +++ b/templates/minimal/html/page.html Sat Mar 01 08:18:07 2008 +0000 @@ -143,7 +143,7 @@ <p class="userblock" tal:condition="python:request.user.username != 'anonymous'"> <b i18n:translate="">Hello, <span i18n:name="user" - tal:replace="request/user/username">username</span></b><br> + tal:replace="python:request.user.username.plain(escape=1)">username</span></b><br> <a href="#" tal:attributes="href string:user${request/user/id}" i18n:translate="">Your Details</a><br> <a href="#" tal:attributes="href python:request.indexargs_url('',