Mercurial > kallithea

changeset 7657:b9b719fb4774 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
search: fix XSS vulnerability in search results The search feature did not correctly escape all arguments when displaying search matches and linking to the corresponding files. An attacker that can control the contents of a repository could thus cause a cross-site scripting (XSS) vulnerability. Fix the problem by removing the overall h.literal call that is only needed for the HTML entity &raquo; and splitting the link instead. We take the opportunity to improving the destination of the part before &raquo; which is the path to the repository. Instead of pointing to the search result, point to the repository itself. The part after &raquo; remains linked to the file containing the search match. Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
author Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
date Wed, 24 Apr 2019 20:58:31 +0200
parents bfee46530202
children ddad3be4dc44
files kallithea/templates/search/search_commit.html kallithea/templates/search/search_content.html kallithea/templates/search/search_path.html
diffstat 3 files changed, 9 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/templates/search/search_commit.html	Tue May 07 20:00:28 2019 +0200
+++ b/kallithea/templates/search/search_commit.html	Wed Apr 24 20:58:31 2019 +0200
@@ -4,8 +4,9 @@
     %if h.HasRepoPermissionLevel('read')(sr['repository'],'search results check'):
         <div class="panel panel-default">
             <div class="panel-heading">
-                ${h.link_to(h.literal('%s &raquo; %s' % (sr['repository'],sr['raw_id'])),
-                    h.url('changeset_home',repo_name=sr['repository'],revision=sr['raw_id']))}
+                ${h.link_to(sr['repository'], h.url('summary_home', repo_name=sr['repository']))}
+                &raquo;
+                ${h.link_to(sr['raw_id'], h.url('changeset_home', repo_name=sr['repository'], revision=sr['raw_id']))}
                 ${h.fmt_date(h.time_to_datetime(sr['date']))}
             </div>
             <div class="panel-body">
--- a/kallithea/templates/search/search_content.html	Tue May 07 20:00:28 2019 +0200
+++ b/kallithea/templates/search/search_content.html	Wed Apr 24 20:58:31 2019 +0200
@@ -4,8 +4,9 @@
     %if h.HasRepoPermissionLevel('read')(sr['repository'],'search results check'):
         <div class="panel panel-default">
             <div class="panel-heading">
-                ${h.link_to(h.literal('%s &raquo; %s' % (sr['repository'],sr['f_path'])),
-                    h.url('files_home',repo_name=sr['repository'],revision='tip',f_path=sr['f_path']))}
+                ${h.link_to(sr['repository'], h.url('summary_home', repo_name=sr['repository']))}
+                &raquo;
+                ${h.link_to(sr['f_path'], h.url('files_home', repo_name=sr['repository'], revision='tip', f_path=sr['f_path']))}
             </div>
             <div class="panel-body search-code-body">
                 <pre>${h.literal(sr['content_short_hl'])}</pre>
--- a/kallithea/templates/search/search_path.html	Tue May 07 20:00:28 2019 +0200
+++ b/kallithea/templates/search/search_path.html	Wed Apr 24 20:58:31 2019 +0200
@@ -4,8 +4,9 @@
     %if h.HasRepoPermissionLevel('read')(sr['repository'],'search results check'):
         <div class="panel panel-default">
             <div class="panel-heading">
-                ${h.link_to(h.literal('%s &raquo; %s' % (sr['repository'],sr['f_path'])),
-                    h.url('files_home',repo_name=sr['repository'],revision='tip',f_path=sr['f_path']))}
+                ${h.link_to(sr['repository'], h.url('summary_home', repo_name=sr['repository']))}
+                &raquo;
+                ${h.link_to(sr['f_path'], h.url('files_home', repo_name=sr['repository'], revision='tip', f_path=sr['f_path']))}
             </div>
         </div>
     %else: