Mercurial > kallithea
view scripts/validate-commits @ 7543:c9159e6fda04
cleanup: remove unnecessary (and potentially problematic) use of 'literal'
webhelpers.html.literal (kallithea.lib.helpers.literal) is only needed when
the passed string may contain HTML that needs to be interpreted literally.
It is unnecessary for plain strings.
Incorrect usage of literal can lead to XSS issues, via a malicious user
controlling data which will be rendered in other users' browsers. The data
could either be stored previously in the system or be part of a forged URL
the victim clicks on.
For example, when a user browses to a forged URL where a repository
changeset or branch name contains a javascript snippet, the snippet
was executed when printed on the page using 'literal'.
Remaining uses of 'literal' have been reviewed with no apparent problems
found.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
---|---|
date | Sat, 26 Jan 2019 20:00:14 +0100 |
parents | 69f70de15f26 |
children | d9e37f7fd35b |
line wrap: on
line source
#!/usr/bin/env bash # Validate the specified commits against test suite and other checks. if [ -n "$VIRTUAL_ENV" ]; then echo "Please run this script from outside a virtualenv." exit 1 fi if ! hg update --check -q .; then echo "Working dir is not clean, please commit/revert changes first." exit 1 fi venv=$(mktemp -d kallithea-validatecommits-env-XXXXXX) resultfile=$(mktemp kallithea-validatecommits-result-XXXXXX) echo > "$resultfile" cleanup() { rm -rf /tmp/kallithea-test* rm -rf "$venv" } finish() { cleanup # print (possibly intermediate) results cat "$resultfile" rm "$resultfile" } trap finish EXIT for rev in $(hg log -r "$1" -T '{node}\n'); do hg log -r "$rev" hg update "$rev" cleanup virtualenv -p "$(command -v python2)" "$venv" source "$venv/bin/activate" pip install --upgrade pip setuptools pip install -e . pip install -r dev_requirements.txt pip install python-ldap python-pam # run-all-cleanup scripts/run-all-cleanup if ! hg update --check -q .; then echo "run-all-cleanup did not give clean results!" result="NOK" hg diff hg revert -a else result=" OK" fi echo "$result: $rev (run-all-cleanup)" >> "$resultfile" # pytest if py.test; then result=" OK" else result="NOK" fi echo "$result: $rev (pytest)" >> "$resultfile" deactivate echo done