Mercurial > kallithea
view MANIFEST.in @ 7317:64d41568507c stable
repos: introduce low level slug check of repo and group names
The high level web forms already slug-ify repo and repo group names. It might
thus not create the exact repo that was created, but the name will be "safe".
For API, we would rather have it fail than not doing exactly what was requested.
Thus, always verify at low level that the provided name wouldn't be modified by
slugification. This makes sure the API provide allow the same actual names as
the web UI.
This will only influence creation and renaming of repositories and repo groups.
Existing repositories will continue working as before.
This is a slight API change, but it makes the system more stable and can
prevent some security issues - especially XSS attacks.
This issue was found and reported by
Kacper Szurek
https://security.szurek.pl/
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Tue, 29 May 2018 12:25:59 +0200 |
parents | 19267f233d39 |
children | 968f2d4214e8 |
line wrap: on
line source
include Apache-License-2.0.txt include CONTRIBUTORS include COPYING include LICENSE-MERGELY.html include LICENSE.md include MIT-Permissive-License.txt include README.rst include development.ini recursive-include docs * recursive-include init.d * include kallithea/bin/ldap_sync.conf include kallithea/bin/template.ini.mako include kallithea/config/deployment.ini_tmpl recursive-include kallithea/i18n * recursive-include kallithea/lib/dbmigrate *.py_tmpl README migrate.cfg recursive-include kallithea/public * recursive-include kallithea/templates * recursive-include kallithea/tests/fixtures * recursive-include kallithea/tests/scripts * include kallithea/tests/test.ini include kallithea/tests/vcs/aconfig