Mercurial > kallithea
changeset 8761:7b7afdbe57af
Merge stable
| author | Mads Kiilerich <mads@kiilerich.com> |
|---|---|
| date | Thu, 03 Dec 2020 01:13:44 +0100 |
| parents | 9ead754dd0a4 (current diff) e4d44e4e7716 (diff) |
| children | 2fac3c55f9bc |
| files | development.ini kallithea/__init__.py kallithea/controllers/admin/repo_groups.py kallithea/controllers/admin/repos.py kallithea/lib/diffs.py kallithea/lib/vcs/backends/git/repository.py kallithea/model/db.py kallithea/model/repo.py kallithea/templates/admin/repo_groups/repo_group_add.html kallithea/templates/admin/repos/repo_add_base.html kallithea/templates/ini/template.ini.mako kallithea/tests/models/test_diff_parsers.py |
| diffstat | 10 files changed, 40 insertions(+), 19 deletions(-) [+] |
line wrap: on
line diff
--- a/.hgtags Sat Nov 07 21:49:39 2020 +0100 +++ b/.hgtags Thu Dec 03 01:13:44 2020 +0100 @@ -79,3 +79,4 @@ 9f5ca9088067618d79129d224c35c818bd2d2f12 0.6.0 a22edac2be58eaf68d1940d4dfeb88fadbabb43a 0.6.1 22bfca5da6f56738f6220d24bb6ce2f9bc4f9b1e 0.6.2 +213450cbdc11fff8508ba25101dc05ab74048e55 0.6.3
--- a/development.ini Sat Nov 07 21:49:39 2020 +0100 +++ b/development.ini Thu Dec 03 01:13:44 2020 +0100 @@ -259,7 +259,7 @@ ## Example: use the message queue on the local virtual host 'kallitheavhost' as the RabbitMQ user 'kallithea': celery.broker_url = amqp://kallithea:thepassword@localhost:5672/kallitheavhost -celery.result.backend = db+sqlite:///celery-results.db +celery.result_backend = db+sqlite:///celery-results.db #celery.amqp.task.result.expires = 18000
--- a/kallithea/controllers/admin/repo_groups.py Sat Nov 07 21:49:39 2020 +0100 +++ b/kallithea/controllers/admin/repo_groups.py Thu Dec 03 01:13:44 2020 +0100 @@ -117,7 +117,7 @@ children_groups = [g.name for g in repo_gr.parents] + [repo_gr.name] repo_count = repo_gr.repositories.count() repo_groups_data.append({ - "raw_name": repo_gr.group_name, + "raw_name": webutils.escape(repo_gr.group_name), "group_name": repo_group_name(repo_gr.group_name, children_groups), "desc": webutils.escape(repo_gr.group_description), "repos": repo_count, @@ -174,14 +174,14 @@ raise HTTPFound(location=url('repos_group_home', group_name=gr.group_name)) def new(self): + parent_group_id = safe_int(request.GET.get('parent_group') or '-1') if HasPermissionAny('hg.admin')('group create'): # we're global admin, we're ok and we can create TOP level groups pass else: # we pass in parent group into creation form, thus we know # what would be the group, we can check perms here ! - group_id = safe_int(request.GET.get('parent_group')) - group = db.RepoGroup.get(group_id) if group_id else None + group = db.RepoGroup.get(parent_group_id) if parent_group_id else None group_name = group.group_name if group else None if HasRepoGroupPermissionLevel('admin')(group_name, 'group create'): pass @@ -189,7 +189,13 @@ raise HTTPForbidden() self.__load_defaults() - return render('admin/repo_groups/repo_group_add.html') + return htmlfill.render( + render('admin/repo_groups/repo_group_add.html'), + defaults={'parent_group_id': parent_group_id}, + errors={}, + prefix_error=False, + encoding="UTF-8", + force_defaults=False) @HasRepoGroupPermissionLevelDecorator('admin') def update(self, group_name):
--- a/kallithea/controllers/admin/repos.py Sat Nov 07 21:49:39 2020 +0100 +++ b/kallithea/controllers/admin/repos.py Thu Dec 03 01:13:44 2020 +0100 @@ -144,7 +144,9 @@ if prg is None or not any(rgc[0] == prg.group_id for rgc in c.repo_groups): raise HTTPForbidden - defaults.update({'repo_group': parent_group}) + else: + parent_group = '-1' + defaults.update({'repo_group': parent_group}) return htmlfill.render( render('admin/repos/repo_add.html'),
--- a/kallithea/lib/vcs/backends/git/repository.py Sat Nov 07 21:49:39 2020 +0100 +++ b/kallithea/lib/vcs/backends/git/repository.py Thu Dec 03 01:13:44 2020 +0100 @@ -159,14 +159,26 @@ when the return code is non 200 """ # check first if it's not an local url - if os.path.isdir(url) or url.startswith('file:'): + if os.path.isabs(url) and os.path.isdir(url): return True if url.startswith('git://'): + try: + _git_colon, _empty, _host, path = url.split('/', 3) + except ValueError: + raise urllib.error.URLError("Invalid URL: %r" % url) + # Mitigate problems elsewhere with incorrect handling of encoded paths. + # Don't trust urllib.parse.unquote but be prepared for more flexible implementations elsewhere. + # Space is the only allowed whitespace character - directly or % encoded. No other % or \ is allowed. + for c in path.replace('%20', ' '): + if c in '%\\': + raise urllib.error.URLError("Invalid escape character in path: '%s'" % c) + if c.isspace() and c != ' ': + raise urllib.error.URLError("Invalid whitespace character in path: %r" % c) return True - if '+' in url[:url.find('://')]: - url = url[url.find('+') + 1:] + if not url.startswith('http://') and not url.startswith('https://'): + raise urllib.error.URLError("Unsupported protocol in URL %s" % url) url_obj = mercurial.util.url(safe_bytes(url)) test_uri, handlers = get_urllib_request_handlers(url_obj)
--- a/kallithea/model/db.py Sat Nov 07 21:49:39 2020 +0100 +++ b/kallithea/model/db.py Thu Dec 03 01:13:44 2020 +0100 @@ -1388,7 +1388,7 @@ """Return tuple with group_id and name as html literal""" if repo_group is None: return (-1, '-- %s --' % _('top level')) - return repo_group.group_id, webutils.literal(cls.SEP.join(repo_group.full_path_splitted)) + return repo_group.group_id, webutils.literal(cls.SEP.join(webutils.html_escape(x) for x in repo_group.full_path_splitted)) @classmethod def groups_choices(cls, groups):
--- a/kallithea/model/repo.py Sat Nov 07 21:49:39 2020 +0100 +++ b/kallithea/model/repo.py Thu Dec 03 01:13:44 2020 +0100 @@ -33,7 +33,7 @@ from datetime import datetime import kallithea.lib.utils2 -from kallithea.lib import hooks +from kallithea.lib import hooks, webutils from kallithea.lib.auth import HasRepoPermissionLevel, HasUserGroupPermissionLevel from kallithea.lib.exceptions import AttachedForksError from kallithea.lib.utils import is_valid_repo_uri, make_ui @@ -156,18 +156,18 @@ for gr in repo_groups_list or []: repos_data.append(dict( - raw_name='\0' + gr.name, # sort before repositories - just_name=gr.name, + raw_name='\0' + webutils.html_escape(gr.name), # sort before repositories + just_name=webutils.html_escape(gr.name), name=_render('group_name_html', group_name=gr.group_name, name=gr.name), - desc=gr.group_description)) + desc=desc(gr.group_description))) for repo in repos_list: if not HasRepoPermissionLevel('read')(repo.repo_name, 'get_repos_as_dict check'): continue cs_cache = repo.changeset_cache row = { - "raw_name": repo.repo_name, - "just_name": repo.just_name, + "raw_name": webutils.html_escape(repo.repo_name), + "just_name": webutils.html_escape(repo.just_name), "name": repo_lnk(repo.repo_name, repo.repo_type, repo.repo_state, repo.private, repo.fork), "following": following(
--- a/kallithea/templates/admin/repo_groups/repo_group_add.html Sat Nov 07 21:49:39 2020 +0100 +++ b/kallithea/templates/admin/repo_groups/repo_group_add.html Thu Dec 03 01:13:44 2020 +0100 @@ -41,7 +41,7 @@ <div class="form-group"> <label class="control-label" for="parent_group_id">${_('Group parent')}:</label> <div> - ${h.select('parent_group_id',request.GET.get('parent_group'),c.repo_groups,class_='form-control')} + ${h.select('parent_group_id',None,c.repo_groups,class_='form-control')} </div> </div>
--- a/kallithea/templates/admin/repos/repo_add_base.html Sat Nov 07 21:49:39 2020 +0100 +++ b/kallithea/templates/admin/repos/repo_add_base.html Thu Dec 03 01:13:44 2020 +0100 @@ -27,7 +27,7 @@ <div class="form-group"> <label class="control-label" for="repo_group">${_('Repository group')}:</label> <div> - ${h.select('repo_group',request.GET.get('parent_group'),c.repo_groups,class_='form-control')} + ${h.select('repo_group',None,c.repo_groups,class_='form-control')} <span class="help-block">${_('Optionally select a group to put this repository into.')}</span> </div> </div>
--- a/kallithea/templates/ini/template.ini.mako Sat Nov 07 21:49:39 2020 +0100 +++ b/kallithea/templates/ini/template.ini.mako Thu Dec 03 01:13:44 2020 +0100 @@ -334,7 +334,7 @@ <%text>##</%text> Example: use the message queue on the local virtual host 'kallitheavhost' as the RabbitMQ user 'kallithea': celery.broker_url = amqp://kallithea:thepassword@localhost:5672/kallitheavhost -celery.result.backend = db+sqlite:///celery-results.db +celery.result_backend = db+sqlite:///celery-results.db #celery.amqp.task.result.expires = 18000