Mercurial > kallithea
view scripts/whitespacecleanup.sh @ 7553:c9bd000a4567 stable
templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS
On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Mon, 11 Feb 2019 21:36:55 +0100 |
parents | fce926a9d7c7 |
children | edb24bc0f71a |
line wrap: on
line source
#!/bin/bash -x # Enforce some consistency in whitespace - just to avoid spurious whitespaces changes files=`hg loc '*.py' '*.html' '*.css' '*.rst' '*.txt' '*.js' '*.ini' '*.cfg' CONTRIBUTORS LICENSE.md| egrep -v '/lockfiles.py|LICENSE-MERGELY.html|/codemirror/|/fontello/|(graph|mergely|native.history|select2/select2|yui.flot|yui.2.9)\.js$'` sed -i -e "s,`printf '\t'`, ,g" $files sed -i -e "s, *$,,g" $files # ensure one trailing newline - remove empty last line and make last line include trailing newline: sed -i -e '$,${/^$/d}' -e '$a\' $files sed -i -e 's,\([^ /]\){,\1 {,g' `hg loc '*.css'` sed -i -e 's|^\([^ /].*,\)\([^ ]\)|\1 \2|g' `hg loc '*.css'` sed -i -e 's/^\( [^: ]*\) *: *\([^/]\)/\1: \2/g' kallithea/public/css/{style,contextbar}.css sed -i -e '1s|, |,|g' kallithea/public/css/{style,contextbar}.css sed -i -e 's/^\([^ ,/]\+ [^,]*[^ ,]\) *, *\(.\)/\1,\n\2/g' kallithea/public/css/{style,contextbar}.css sed -i -e 's/^\([^ ,/].*\) */\1 /g' kallithea/public/css/{style,contextbar}.css sed -i -e 's,^--$,-- ,g' kallithea/templates/email_templates/main.txt hg mani | xargs chmod -x hg loc 'set:!binary()&grep("^#!")&!(**_tmpl.py)&!(**/template**)' | xargs chmod +x hg diff