Mercurial > kallithea
annotate scripts/whitespacecleanup.sh @ 7553:c9bd000a4567 stable
templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS
On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
| author | Mads Kiilerich <mads@kiilerich.com> |
|---|---|
| date | Mon, 11 Feb 2019 21:36:55 +0100 |
| parents | fce926a9d7c7 |
| children | edb24bc0f71a |
| rev | line source |
|---|---|
|
4727
9cf229b46e49
whitespacecleanup.sh - run regularly to ensure consistent spacing and avoid spurious changes
Mads Kiilerich <madski@unity3d.com>
parents:
diff
changeset
|
1 #!/bin/bash -x |
|
9cf229b46e49
whitespacecleanup.sh - run regularly to ensure consistent spacing and avoid spurious changes
Mads Kiilerich <madski@unity3d.com>
parents:
diff
changeset
|
2 |
|
9cf229b46e49
whitespacecleanup.sh - run regularly to ensure consistent spacing and avoid spurious changes
Mads Kiilerich <madski@unity3d.com>
parents:
diff
changeset
|
3 # Enforce some consistency in whitespace - just to avoid spurious whitespaces changes |
|
9cf229b46e49
whitespacecleanup.sh - run regularly to ensure consistent spacing and avoid spurious changes
Mads Kiilerich <madski@unity3d.com>
parents:
diff
changeset
|
4 |
|
5379
1949ece749ce
cleanup: fix whitespace in CONTRIBUTORS (and other forgotten files) too
Mads Kiilerich <madski@unity3d.com>
parents:
5378
diff
changeset
|
5 files=`hg loc '*.py' '*.html' '*.css' '*.rst' '*.txt' '*.js' '*.ini' '*.cfg' CONTRIBUTORS LICENSE.md| egrep -v '/lockfiles.py|LICENSE-MERGELY.html|/codemirror/|/fontello/|(graph|mergely|native.history|select2/select2|yui.flot|yui.2.9)\.js$'` |
|
1949ece749ce
cleanup: fix whitespace in CONTRIBUTORS (and other forgotten files) too
Mads Kiilerich <madski@unity3d.com>
parents:
5378
diff
changeset
|
6 |
|
5378
bdfba68cdfea
cleanup: remove empty trailing lines
Mads Kiilerich <madski@unity3d.com>
parents:
5330
diff
changeset
|
7 sed -i -e "s,`printf '\t'`, ,g" $files |
|
bdfba68cdfea
cleanup: remove empty trailing lines
Mads Kiilerich <madski@unity3d.com>
parents:
5330
diff
changeset
|
8 sed -i -e "s, *$,,g" $files |
|
bdfba68cdfea
cleanup: remove empty trailing lines
Mads Kiilerich <madski@unity3d.com>
parents:
5330
diff
changeset
|
9 # ensure one trailing newline - remove empty last line and make last line include trailing newline: |
|
bdfba68cdfea
cleanup: remove empty trailing lines
Mads Kiilerich <madski@unity3d.com>
parents:
5330
diff
changeset
|
10 sed -i -e '$,${/^$/d}' -e '$a\' $files |
|
4727
9cf229b46e49
whitespacecleanup.sh - run regularly to ensure consistent spacing and avoid spurious changes
Mads Kiilerich <madski@unity3d.com>
parents:
diff
changeset
|
11 |
|
5378
bdfba68cdfea
cleanup: remove empty trailing lines
Mads Kiilerich <madski@unity3d.com>
parents:
5330
diff
changeset
|
12 sed -i -e 's,\([^ /]\){,\1 {,g' `hg loc '*.css'` |
|
bdfba68cdfea
cleanup: remove empty trailing lines
Mads Kiilerich <madski@unity3d.com>
parents:
5330
diff
changeset
|
13 sed -i -e 's|^\([^ /].*,\)\([^ ]\)|\1 \2|g' `hg loc '*.css'` |
|
4727
9cf229b46e49
whitespacecleanup.sh - run regularly to ensure consistent spacing and avoid spurious changes
Mads Kiilerich <madski@unity3d.com>
parents:
diff
changeset
|
14 |
|
5378
bdfba68cdfea
cleanup: remove empty trailing lines
Mads Kiilerich <madski@unity3d.com>
parents:
5330
diff
changeset
|
15 sed -i -e 's/^\( [^: ]*\) *: *\([^/]\)/\1: \2/g' kallithea/public/css/{style,contextbar}.css |
|
bdfba68cdfea
cleanup: remove empty trailing lines
Mads Kiilerich <madski@unity3d.com>
parents:
5330
diff
changeset
|
16 sed -i -e '1s|, |,|g' kallithea/public/css/{style,contextbar}.css |
|
bdfba68cdfea
cleanup: remove empty trailing lines
Mads Kiilerich <madski@unity3d.com>
parents:
5330
diff
changeset
|
17 sed -i -e 's/^\([^ ,/]\+ [^,]*[^ ,]\) *, *\(.\)/\1,\n\2/g' kallithea/public/css/{style,contextbar}.css |
|
bdfba68cdfea
cleanup: remove empty trailing lines
Mads Kiilerich <madski@unity3d.com>
parents:
5330
diff
changeset
|
18 sed -i -e 's/^\([^ ,/].*\) */\1 /g' kallithea/public/css/{style,contextbar}.css |
|
bdfba68cdfea
cleanup: remove empty trailing lines
Mads Kiilerich <madski@unity3d.com>
parents:
5330
diff
changeset
|
19 sed -i -e 's,^--$,-- ,g' kallithea/templates/email_templates/main.txt |
|
4727
9cf229b46e49
whitespacecleanup.sh - run regularly to ensure consistent spacing and avoid spurious changes
Mads Kiilerich <madski@unity3d.com>
parents:
diff
changeset
|
20 |
|
5390
530bcb645d32
cleanup: set reasonable x bits
Mads Kiilerich <madski@unity3d.com>
parents:
5379
diff
changeset
|
21 hg mani | xargs chmod -x |
|
530bcb645d32
cleanup: set reasonable x bits
Mads Kiilerich <madski@unity3d.com>
parents:
5379
diff
changeset
|
22 hg loc 'set:!binary()&grep("^#!")&!(**_tmpl.py)&!(**/template**)' | xargs chmod +x |
|
530bcb645d32
cleanup: set reasonable x bits
Mads Kiilerich <madski@unity3d.com>
parents:
5379
diff
changeset
|
23 |
|
4727
9cf229b46e49
whitespacecleanup.sh - run regularly to ensure consistent spacing and avoid spurious changes
Mads Kiilerich <madski@unity3d.com>
parents:
diff
changeset
|
24 hg diff |