Mercurial > kallithea
view setup.cfg @ 7553:c9bd000a4567 stable
templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS
On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
| author | Mads Kiilerich <mads@kiilerich.com> |
|---|---|
| date | Mon, 11 Feb 2019 21:36:55 +0100 |
| parents | 19267f233d39 |
| children | d88077fae3d6 |
line wrap: on
line source
[egg_info] tag_build = tag_svn_revision = 0 tag_date = 0 [nosetests] verbose = True verbosity = 2 with-pylons = kallithea/tests/test.ini detailed-errors = 1 nologcapture = 1 [pytest] # only look for tests in kallithea/tests python_files = kallithea/tests/**/test_*.py addopts = # --verbose # show extra test summary info as specified by chars (f)ailed, (E)error, (s)skipped, (x)failed, (X)passed, (w)warnings. -rfEsxXw # Shorter scrollbacks; less stuff to scroll through --tb=short [compile_catalog] domain = kallithea directory = kallithea/i18n statistics = true [extract_messages] add_comments = TRANSLATORS: output_file = kallithea/i18n/kallithea.pot msgid-bugs-address = translations@kallithea-scm.org copyright-holder = Various authors, licensing as GPLv3 no-wrap = true [init_catalog] domain = kallithea input_file = kallithea/i18n/kallithea.pot output_dir = kallithea/i18n [update_catalog] domain = kallithea input_file = kallithea/i18n/kallithea.pot output_dir = kallithea/i18n previous = true [build_sphinx] source-dir = docs/ build-dir = docs/_build all_files = 1 [upload_sphinx] upload-dir = docs/_build/html