Mercurial > kallithea
changeset 7553:c9bd000a4567 stable
templates/summary: escape branch/tag/bookmark names in 'Download as zip' links to prevent XSS
On a repository summary page, in the 'Download' section where you can
download an archive of the repository at a given revision, the branch/tag
names were not correctly escaped.
This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.
Fix the problem by correctly escaping the branch/tag/bookmarks.
Reported by Bob Hogg <wombat@rwhogg.site> (thanks!).
| author | Mads Kiilerich <mads@kiilerich.com> |
|---|---|
| date | Mon, 11 Feb 2019 21:36:55 +0100 |
| parents | e74aa69f6827 |
| children | 04e44ea05c5f |
| files | kallithea/templates/summary/summary.html |
| diffstat | 1 files changed, 1 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/templates/summary/summary.html Sat Jan 26 20:27:50 2019 +0100 +++ b/kallithea/templates/summary/summary.html Mon Feb 11 21:36:55 2019 +0100 @@ -293,7 +293,7 @@ var title_tmpl = "${_('Download %s as %s') % ('__CS_NAME__','__CS_EXT__')}"; title_tmpl= title_tmpl.replace('__CS_NAME__',new_cs.text); title_tmpl = title_tmpl.replace('__CS_EXT__',k); - title_tmpl = '<i class="icon-file-zip"></i> '+ title_tmpl; + title_tmpl = '<i class="icon-file-zip"></i> '+ title_tmpl.html_escape(); var url = tmpl_links[k].replace('__CS__',new_cs.id); var subrepos = $('#archive_subrepos').is(':checked'); url = url.replace('__SUB__',subrepos);