Mercurial > kallithea
changeset 7658:ddad3be4dc44 stable
changeset: fix XSS vulnerability in parent-child navigation
The 'Parent Rev.' - 'Child Rev.' links on changesets and in the file browser
normally immediately jump to the correct revision upon click. But, if there
are multiple candidates, e.g. two children of a commit, then a list of
revisions is shown as hyperlinks instead.
These hyperlinks have a 'title' attribute containing the full commit message
of the corresponding commit. When this commit message contains characters
special to HTML, like ", >, etc. they were added literally to the HTML code.
This can lead to a cross-site scripting (XSS) vulnerability when an attacker
has write access to a repository. They could craft a special commit message
that would introduce HTML and/or JavaScript code when the commit is listed
in such 'parent-child' navigation links.
Escape the commit message before using it further.
author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
---|---|
date | Fri, 19 Apr 2019 20:54:46 +0200 |
parents | b9b719fb4774 |
children | 0266dc85c61f |
files | kallithea/public/js/base.js |
diffstat | 1 files changed, 1 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/public/js/base.js Wed Apr 24 20:58:31 2019 +0200 +++ b/kallithea/public/js/base.js Fri Apr 19 20:54:46 2019 +0200 @@ -1493,7 +1493,7 @@ for(var i = 0; i < data.results.length; i++){ _html.push(template .replace('__rev__', 'r{0}:{1}'.format(data.results[i].revision, data.results[i].raw_id.substr(0, 6))) - .replace('__title__', data.results[i].message) + .replace('__title__', data.results[i].message.html_escape()) .replace('__url__', pyroutes.url('changeset_home', { 'repo_name': repo_name, 'revision': data.results[i].raw_id}))