Mercurial > kallithea
view .travis.yml @ 7553:c9bd000a4567 stable
templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS
On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
| author | Mads Kiilerich <mads@kiilerich.com> |
|---|---|
| date | Mon, 11 Feb 2019 21:36:55 +0100 |
| parents | a9a1560dad79 |
| children | e285bb7abb28 |
line wrap: on
line source
language: python python: - "2.6" - "2.7" env: - TEST_DB=sqlite:////tmp/kallithea_test.sqlite - TEST_DB=mysql://root@127.0.0.1/kallithea_test - TEST_DB=postgresql://postgres@127.0.0.1/kallithea_test services: - mysql - postgresql # command to install dependencies before_script: - mysql -e 'create database kallithea_test;' - psql -c 'create database kallithea_test;' -U postgres - git --version before_install: - sudo apt-get remove git - sudo add-apt-repository ppa:pdoes/ppa -y - sudo apt-get update -y - sudo apt-get install git -y install: - pip install mysql-python psycopg2 mock unittest2 - pip install . --use-mirrors # command to run tests script: nosetests notifications: email: - ci@kallithea-scm.org irc: "irc.freenode.org#kallithea" branches: only: - master