# HG changeset patch # User Marcin Kuzminski # Date 2018-02-07 21:57:10 # Node ID 0fd8208e0f93ff7810c9c7a8ac69f2468b56ea51 # Parent db577a02545f46d5b5b382914b2c4c2d4f771667 sec: serialize the repo name in repo checks to prevent potential html injections. diff --git a/rhodecode/apps/repository/views/repo_checks.py b/rhodecode/apps/repository/views/repo_checks.py --- a/rhodecode/apps/repository/views/repo_checks.py +++ b/rhodecode/apps/repository/views/repo_checks.py @@ -27,6 +27,7 @@ from rhodecode.apps._base import BaseApp from rhodecode.lib import helpers as h from rhodecode.lib.auth import (NotAnonymous, HasRepoPermissionAny) from rhodecode.model.db import Repository +from rhodecode.model.validation_schema.types import RepoNameType log = logging.getLogger(__name__) @@ -43,8 +44,8 @@ class RepoChecksView(BaseAppView): renderer='rhodecode:templates/admin/repos/repo_creating.mako') def repo_creating(self): c = self.load_default_context() - repo_name = self.request.matchdict['repo_name'] + repo_name = RepoNameType().deserialize(None, repo_name) db_repo = Repository.get_by_repo_name(repo_name) # check if maybe repo is already created