Mercurial > kallithea
view .coveragerc @ 7299:57a733313e4f
repos: introduce low level slug check of repo and group names
The high level web forms already slug-ify repo and repo group names. It might
thus not create the exact repo that was created, but the name will be "safe".
For API, we would rather have it fail than not doing exactly what was requested.
Thus, always verify at low level that the provided name wouldn't be modified by
slugification. This makes sure the API provide allow the same actual names as
the web UI.
This will only influence creation and renaming of repositories and repo groups.
Existing repositories will continue working as before.
This is a slight API change, but it makes the system more stable and can
prevent some security issues - especially XSS attacks.
This issue was found and reported by
Kacper Szurek
https://security.szurek.pl/
| author | Mads Kiilerich <mads@kiilerich.com> |
|---|---|
| date | Tue, 29 May 2018 12:25:59 +0200 |
| parents | 0acb46763886 |
| children | ddee465a345a |
line wrap: on
line source
[run] omit = # the bin scripts are not part of the Kallithea web app kallithea/bin/* # we ship with no active extensions kallithea/config/rcextensions/* # dbmigrate and paster_commands are not part of the Kallithea web app kallithea/lib/dbmigrate/* kallithea/lib/paster_commands/* # the tests themselves should not be part of the coverage report kallithea/tests/* # the scm hooks are not run in the kallithea process kallithea/config/post_receive_tmpl.py kallithea/config/pre_receive_tmpl.py [paths] source = kallithea/ **/workspace/*/kallithea