Mercurial > kallithea
changeset 7551:81db5704b285 stable
cleanup: remove unnecessary (and potentially problematic) use of 'literal'
webhelpers.html.literal (kallithea.lib.helpers.literal) is only needed when
the passed string may contain HTML that needs to be interpreted literally.
It is unnecessary for plain strings.
Incorrect usage of literal can lead to XSS issues, via a malicious user
controlling data which will be rendered in other users' browsers. The data
could either be stored previously in the system or be part of a forged URL
the victim clicks on.
For example, when a user browses to a forged URL where a repository
changeset or branch name contains a javascript snippet, the snippet
was executed when printed on the page using 'literal'.
Remaining uses of 'literal' have been reviewed with no apparent problems
found.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
| author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
|---|---|
| date | Sat, 26 Jan 2019 20:00:14 +0100 |
| parents | 603f5f7c323d |
| children | e74aa69f6827 |
| files | kallithea/controllers/changelog.py kallithea/controllers/pullrequests.py kallithea/lib/auth.py kallithea/lib/base.py kallithea/templates/admin/settings/settings_system_update.html kallithea/templates/base/default_perms_box.html |
| diffstat | 6 files changed, 11 insertions(+), 14 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/controllers/changelog.py Tue Feb 26 21:50:15 2019 +0100 +++ b/kallithea/controllers/changelog.py Sat Jan 26 20:00:14 2019 +0100 @@ -83,8 +83,7 @@ try: return c.db_repo_scm_instance.get_changeset(rev) except EmptyRepositoryError as e: - h.flash(h.literal(_('There are no changesets yet')), - category='error') + h.flash(_('There are no changesets yet'), category='error') except RepositoryError as e: log.error(traceback.format_exc()) h.flash(safe_str(e), category='error')
--- a/kallithea/controllers/pullrequests.py Tue Feb 26 21:50:15 2019 +0100 +++ b/kallithea/controllers/pullrequests.py Sat Jan 26 20:00:14 2019 +0100 @@ -235,8 +235,7 @@ try: org_scm_instance.get_changeset() except EmptyRepositoryError as e: - h.flash(h.literal(_('There are no changesets yet')), - category='warning') + h.flash(_('There are no changesets yet'), category='warning') redirect(url('summary_home', repo_name=org_repo.repo_name)) org_rev = request.GET.get('rev_end')
--- a/kallithea/lib/auth.py Tue Feb 26 21:50:15 2019 +0100 +++ b/kallithea/lib/auth.py Sat Jan 26 20:00:14 2019 +0100 @@ -719,7 +719,7 @@ from kallithea.lib import helpers as h p = request.path_qs if message: - h.flash(h.literal(message), category='warning') + h.flash(message, category='warning') log.debug('Redirecting to login page, origin: %s', p) return redirect(url('login_home', came_from=p))
--- a/kallithea/lib/base.py Tue Feb 26 21:50:15 2019 +0100 +++ b/kallithea/lib/base.py Sat Jan 26 20:00:14 2019 +0100 @@ -487,7 +487,7 @@ log.error('%s this repository is present in database but it ' 'cannot be created as an scm instance', c.repo_name) from kallithea.lib import helpers as h - h.flash(h.literal(_('Repository not found in the filesystem')), + h.flash(_('Repository not found in the filesystem'), category='error') raise paste.httpexceptions.HTTPNotFound() @@ -509,12 +509,11 @@ except EmptyRepositoryError as e: if returnempty: return repo.scm_instance.EMPTY_CHANGESET - h.flash(h.literal(_('There are no changesets yet')), - category='error') + h.flash(_('There are no changesets yet'), category='error') raise webob.exc.HTTPNotFound() except ChangesetDoesNotExistError as e: - h.flash(h.literal(_('Changeset for %s %s not found in %s') % - (ref_type, ref_name, repo.repo_name)), + h.flash(_('Changeset for %s %s not found in %s') % + (ref_type, ref_name, repo.repo_name), category='error') raise webob.exc.HTTPNotFound() except RepositoryError as e:
--- a/kallithea/templates/admin/settings/settings_system_update.html Tue Feb 26 21:50:15 2019 +0100 +++ b/kallithea/templates/admin/settings/settings_system_update.html Sat Jan 26 20:00:14 2019 +0100 @@ -7,7 +7,7 @@ %if c.should_upgrade: A <b>new version</b> is available: %if c.latest_data.get('title'): - <b>${h.literal(c.latest_data['title'])}</b> + <b>${c.latest_data['title']}</b> %else: <b>${c.latest_ver}</b> %endif
--- a/kallithea/templates/base/default_perms_box.html Tue Feb 26 21:50:15 2019 +0100 +++ b/kallithea/templates/base/default_perms_box.html Sat Jan 26 20:00:14 2019 +0100 @@ -30,7 +30,7 @@ <div class="checkboxes"> ${h.checkbox('create_repo_perm',value=True)} <span class="help-block"> - ${h.literal(_('Select this option to allow repository creation for this user'))} + ${_('Select this option to allow repository creation for this user')} </span> </div> </div> @@ -42,7 +42,7 @@ <div class="checkboxes"> ${h.checkbox('create_user_group_perm',value=True)} <span class="help-block"> - ${h.literal(_('Select this option to allow user group creation for this user'))} + ${_('Select this option to allow user group creation for this user')} </span> </div> </div> @@ -54,7 +54,7 @@ <div class="checkboxes"> ${h.checkbox('fork_repo_perm',value=True)} <span class="help-block"> - ${h.literal(_('Select this option to allow repository forking for this user'))} + ${_('Select this option to allow repository forking for this user')} </span> </div> </div>