Mercurial > kallithea
annotate Apache-License-2.0.txt @ 6532:33b71a130b16
templates: properly escape inline JavaScript values
TLDR: Kallithea has issues with escaping values for use in inline JS.
Despite judicious poking of the code, no actual security vulnerabilities
have been found, just lots of corner-case bugs. This patch fixes those,
and hardens the code against actual security issues.
The long version:
To embed a Python value (typically a 'unicode' plain-text value) in a
larger file, it must be escaped in a context specific manner. Example:
>>> s = u'<script>alert("It\'s a trap!");</script>'
1) Escaped for insertion into HTML element context
>>> print cgi.escape(s)
<script>alert("It's a trap!");</script>
2) Escaped for insertion into HTML element or attribute context
>>> print h.escape(s)
<script>alert("It's a trap!");</script>
This is the default Mako escaping, as usually used by Kallithea.
3) Encoded as JSON
>>> print json.dumps(s)
"<script>alert(\"It's a trap!\");</script>"
4) Escaped for insertion into a JavaScript file
>>> print '(' + json.dumps(s) + ')'
("<script>alert(\"It's a trap!\");</script>")
The parentheses are not actually required for strings, but may be needed
to avoid syntax errors if the value is a number or dict (object).
5) Escaped for insertion into a HTML inline <script> element
>>> print h.js(s)
("\x3cscript\x3ealert(\"It's a trap!\");\x3c/script\x3e")
Here, we need to combine JS and HTML escaping, further complicated by
the fact that "<script>" tag contents can either be parsed in XHTML mode
(in which case '<', '>' and '&' must additionally be XML escaped) or
HTML mode (in which case '</script>' must be escaped, but not using HTML
escaping, which is not available in HTML "<script>" tags). Therefore,
the XML special characters (which can only occur in string literals) are
escaped using JavaScript string literal escape sequences.
(This, incidentally, is why modern web security best practices ban all
use of inline JavaScript...)
Unsurprisingly, Kallithea does not do (5) correctly. In most cases,
Kallithea might slap a pair of single quotes around the HTML escaped
Python value. A typical benign example:
$('#child_link').html('${_('No revisions')}');
This works in English, but if a localized version of the string contains
an apostrophe, the result will be broken JavaScript. In the more severe
cases, where the text is user controllable, it leaves the door open to
injections. In this example, the script inserts the string as HTML, so
Mako's implicit HTML escaping makes sense; but in many other cases, HTML
escaping is actually an error, because the value is not used by the
script in an HTML context.
The good news is that the HTML escaping thwarts attempts at XSS, since
it's impossible to inject syntactically valid JavaScript of any useful
complexity. It does allow JavaScript errors and gibberish to appear on
the page, though.
In these cases, the escaping has been fixed to use either the new 'h.js'
helper, which does JavaScript escaping (but not HTML escaping), OR the
new 'h.jshtml' helper (which does both), in those cases where it was
unclear if the value might be used (by the script) in an HTML context.
Some of these can probably be "relaxed" from h.jshtml to h.js later, but
for now, using h.jshtml fixes escaping and doesn't introduce new errors.
In a few places, Kallithea JSON encodes values in the controller, then
inserts the JSON (without any further escaping) into <script> tags. This
is also wrong, and carries actual risk of XSS vulnerabilities. However,
in all cases, security vulnerabilities were narrowly avoided due to other
filtering in Kallithea. (E.g. many special characters are banned from
appearing in usernames.) In these cases, the escaping has been fixed
and moved to the template, making it immediately visible that proper
escaping has been performed.
Mini-FAQ (frequently anticipated questions):
Q: Why do everything in one big, hard to review patch?
Q: Why add escaping in specific case FOO, it doesn't seem needed?
Because the goal here is to have "escape everywhere" as the default
policy, rather than identifying individual bugs and fixing them one
by one by adding escaping where needed. As such, this patch surely
introduces a lot of needless escaping. This is no different from
how Mako/Pylons HTML escape everything by default, even when not
needed: it's errs on the side of needless work, to prevent erring
on the side of skipping required (and security critical) work.
As for reviewability, the most important thing to notice is not where
escaping has been introduced, but any places where it might have been
missed (or where h.jshtml is needed, but h.js is used).
Q: The added escaping is kinda verbose/ugly.
That is not a question, but yes, I agree. Hopefully it'll encourage us
to move away from inline JavaScript altogether. That's a significantly
larger job, though; with luck this patch will keep us safe and secure
until such a time as we can implement the real fix.
Q: Why not use Mako filter syntax ("${val|h.js}")?
Because of long-standing Mako bug #140, preventing use of 'h' in
filters.
Q: Why not work around bug #140, or even use straight "${val|js}"?
Because Mako still applies the default h.escape filter before the
explicitly specified filters.
Q: Where do we go from here?
Longer term, we should stop doing variable expansions in script blocks,
and instead pass data to JS via e.g. data attributes, or asynchronously
using AJAX calls. Once we've done that, we can remove inline JavaScript
altogether in favor of separate script files, and set a strict Content
Security Policy explicitly blocking inline scripting, and thus also the
most common kind of cross-site scripting attack.
author | Søren Løvborg <sorenl@unity3d.com> |
---|---|
date | Tue, 28 Feb 2017 17:19:00 +0100 |
parents | fd2dff0588bc |
children |
rev | line source |
---|---|
4118
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
1 Apache License |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
2 Version 2.0, January 2004 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
3 http://www.apache.org/licenses/ |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
4 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
5 TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
6 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
7 1. Definitions. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
8 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
9 "License" shall mean the terms and conditions for use, reproduction, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
10 and distribution as defined by Sections 1 through 9 of this document. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
11 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
12 "Licensor" shall mean the copyright owner or entity authorized by |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
13 the copyright owner that is granting the License. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
14 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
15 "Legal Entity" shall mean the union of the acting entity and all |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
16 other entities that control, are controlled by, or are under common |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
17 control with that entity. For the purposes of this definition, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
18 "control" means (i) the power, direct or indirect, to cause the |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
19 direction or management of such entity, whether by contract or |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
20 otherwise, or (ii) ownership of fifty percent (50%) or more of the |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
21 outstanding shares, or (iii) beneficial ownership of such entity. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
22 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
23 "You" (or "Your") shall mean an individual or Legal Entity |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
24 exercising permissions granted by this License. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
25 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
26 "Source" form shall mean the preferred form for making modifications, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
27 including but not limited to software source code, documentation |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
28 source, and configuration files. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
29 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
30 "Object" form shall mean any form resulting from mechanical |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
31 transformation or translation of a Source form, including but |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
32 not limited to compiled object code, generated documentation, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
33 and conversions to other media types. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
34 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
35 "Work" shall mean the work of authorship, whether in Source or |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
36 Object form, made available under the License, as indicated by a |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
37 copyright notice that is included in or attached to the work |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
38 (an example is provided in the Appendix below). |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
39 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
40 "Derivative Works" shall mean any work, whether in Source or Object |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
41 form, that is based on (or derived from) the Work and for which the |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
42 editorial revisions, annotations, elaborations, or other modifications |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
43 represent, as a whole, an original work of authorship. For the purposes |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
44 of this License, Derivative Works shall not include works that remain |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
45 separable from, or merely link (or bind by name) to the interfaces of, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
46 the Work and Derivative Works thereof. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
47 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
48 "Contribution" shall mean any work of authorship, including |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
49 the original version of the Work and any modifications or additions |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
50 to that Work or Derivative Works thereof, that is intentionally |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
51 submitted to Licensor for inclusion in the Work by the copyright owner |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
52 or by an individual or Legal Entity authorized to submit on behalf of |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
53 the copyright owner. For the purposes of this definition, "submitted" |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
54 means any form of electronic, verbal, or written communication sent |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
55 to the Licensor or its representatives, including but not limited to |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
56 communication on electronic mailing lists, source code control systems, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
57 and issue tracking systems that are managed by, or on behalf of, the |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
58 Licensor for the purpose of discussing and improving the Work, but |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
59 excluding communication that is conspicuously marked or otherwise |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
60 designated in writing by the copyright owner as "Not a Contribution." |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
61 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
62 "Contributor" shall mean Licensor and any individual or Legal Entity |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
63 on behalf of whom a Contribution has been received by Licensor and |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
64 subsequently incorporated within the Work. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
65 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
66 2. Grant of Copyright License. Subject to the terms and conditions of |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
67 this License, each Contributor hereby grants to You a perpetual, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
68 worldwide, non-exclusive, no-charge, royalty-free, irrevocable |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
69 copyright license to reproduce, prepare Derivative Works of, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
70 publicly display, publicly perform, sublicense, and distribute the |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
71 Work and such Derivative Works in Source or Object form. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
72 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
73 3. Grant of Patent License. Subject to the terms and conditions of |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
74 this License, each Contributor hereby grants to You a perpetual, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
75 worldwide, non-exclusive, no-charge, royalty-free, irrevocable |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
76 (except as stated in this section) patent license to make, have made, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
77 use, offer to sell, sell, import, and otherwise transfer the Work, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
78 where such license applies only to those patent claims licensable |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
79 by such Contributor that are necessarily infringed by their |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
80 Contribution(s) alone or by combination of their Contribution(s) |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
81 with the Work to which such Contribution(s) was submitted. If You |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
82 institute patent litigation against any entity (including a |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
83 cross-claim or counterclaim in a lawsuit) alleging that the Work |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
84 or a Contribution incorporated within the Work constitutes direct |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
85 or contributory patent infringement, then any patent licenses |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
86 granted to You under this License for that Work shall terminate |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
87 as of the date such litigation is filed. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
88 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
89 4. Redistribution. You may reproduce and distribute copies of the |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
90 Work or Derivative Works thereof in any medium, with or without |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
91 modifications, and in Source or Object form, provided that You |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
92 meet the following conditions: |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
93 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
94 (a) You must give any other recipients of the Work or |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
95 Derivative Works a copy of this License; and |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
96 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
97 (b) You must cause any modified files to carry prominent notices |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
98 stating that You changed the files; and |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
99 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
100 (c) You must retain, in the Source form of any Derivative Works |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
101 that You distribute, all copyright, patent, trademark, and |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
102 attribution notices from the Source form of the Work, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
103 excluding those notices that do not pertain to any part of |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
104 the Derivative Works; and |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
105 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
106 (d) If the Work includes a "NOTICE" text file as part of its |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
107 distribution, then any Derivative Works that You distribute must |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
108 include a readable copy of the attribution notices contained |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
109 within such NOTICE file, excluding those notices that do not |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
110 pertain to any part of the Derivative Works, in at least one |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
111 of the following places: within a NOTICE text file distributed |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
112 as part of the Derivative Works; within the Source form or |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
113 documentation, if provided along with the Derivative Works; or, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
114 within a display generated by the Derivative Works, if and |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
115 wherever such third-party notices normally appear. The contents |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
116 of the NOTICE file are for informational purposes only and |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
117 do not modify the License. You may add Your own attribution |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
118 notices within Derivative Works that You distribute, alongside |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
119 or as an addendum to the NOTICE text from the Work, provided |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
120 that such additional attribution notices cannot be construed |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
121 as modifying the License. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
122 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
123 You may add Your own copyright statement to Your modifications and |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
124 may provide additional or different license terms and conditions |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
125 for use, reproduction, or distribution of Your modifications, or |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
126 for any such Derivative Works as a whole, provided Your use, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
127 reproduction, and distribution of the Work otherwise complies with |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
128 the conditions stated in this License. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
129 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
130 5. Submission of Contributions. Unless You explicitly state otherwise, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
131 any Contribution intentionally submitted for inclusion in the Work |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
132 by You to the Licensor shall be under the terms and conditions of |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
133 this License, without any additional terms or conditions. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
134 Notwithstanding the above, nothing herein shall supersede or modify |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
135 the terms of any separate license agreement you may have executed |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
136 with Licensor regarding such Contributions. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
137 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
138 6. Trademarks. This License does not grant permission to use the trade |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
139 names, trademarks, service marks, or product names of the Licensor, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
140 except as required for reasonable and customary use in describing the |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
141 origin of the Work and reproducing the content of the NOTICE file. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
142 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
143 7. Disclaimer of Warranty. Unless required by applicable law or |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
144 agreed to in writing, Licensor provides the Work (and each |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
145 Contributor provides its Contributions) on an "AS IS" BASIS, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
146 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
147 implied, including, without limitation, any warranties or conditions |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
148 of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
149 PARTICULAR PURPOSE. You are solely responsible for determining the |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
150 appropriateness of using or redistributing the Work and assume any |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
151 risks associated with Your exercise of permissions under this License. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
152 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
153 8. Limitation of Liability. In no event and under no legal theory, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
154 whether in tort (including negligence), contract, or otherwise, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
155 unless required by applicable law (such as deliberate and grossly |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
156 negligent acts) or agreed to in writing, shall any Contributor be |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
157 liable to You for damages, including any direct, indirect, special, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
158 incidental, or consequential damages of any character arising as a |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
159 result of this License or out of the use or inability to use the |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
160 Work (including but not limited to damages for loss of goodwill, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
161 work stoppage, computer failure or malfunction, or any and all |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
162 other commercial damages or losses), even if such Contributor |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
163 has been advised of the possibility of such damages. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
164 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
165 9. Accepting Warranty or Additional Liability. While redistributing |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
166 the Work or Derivative Works thereof, You may choose to offer, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
167 and charge a fee for, acceptance of support, warranty, indemnity, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
168 or other liability obligations and/or rights consistent with this |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
169 License. However, in accepting such obligations, You may act only |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
170 on Your own behalf and on Your sole responsibility, not on behalf |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
171 of any other Contributor, and only if You agree to indemnify, |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
172 defend, and hold each Contributor harmless for any liability |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
173 incurred by, or claims asserted against, such Contributor by reason |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
174 of your accepting any such warranty or additional liability. |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
175 |
fd2dff0588bc
Introduce LICENSE.md to include license information about Bootstrap 3.0.0
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
176 END OF TERMS AND CONDITIONS |