##// END OF EJS Templates
security: fix possible XSS in the issue tracker URL.
marcink -
r3439:1755b780 default
parent child Browse files
Show More
@@ -1547,8 +1547,7 b' def urlify_commits(text_, repository):'
1547 return tmpl % {
1547 return tmpl % {
1548 'pref': pref,
1548 'pref': pref,
1549 'cls': 'revision-link',
1549 'cls': 'revision-link',
1550 'url': route_url('repo_commit', repo_name=repository,
1550 'url': route_url('repo_commit', repo_name=repository, commit_id=commit_id),
1551 commit_id=commit_id),
1552 'commit_id': commit_id,
1551 'commit_id': commit_id,
1553 'suf': suf
1552 'suf': suf
1554 }
1553 }
@@ -1579,8 +1578,7 b' def _process_url_func(match_obj, repo_na'
1579 raise ValueError('Bad link_format:{}'.format(link_format))
1578 raise ValueError('Bad link_format:{}'.format(link_format))
1580
1579
1581 (repo_name_cleaned,
1580 (repo_name_cleaned,
1582 parent_group_name) = RepoGroupModel().\
1581 parent_group_name) = RepoGroupModel()._get_group_name_and_parent(repo_name)
1583 _get_group_name_and_parent(repo_name)
1584
1582
1585 # variables replacement
1583 # variables replacement
1586 named_vars = {
1584 named_vars = {
@@ -1593,10 +1591,14 b' def _process_url_func(match_obj, repo_na'
1593 named_vars.update(match_obj.groupdict())
1591 named_vars.update(match_obj.groupdict())
1594 _url = string.Template(entry['url']).safe_substitute(**named_vars)
1592 _url = string.Template(entry['url']).safe_substitute(**named_vars)
1595
1593
1594 def quote_cleaner(input_str):
1595 """Remove quotes as it's HTML"""
1596 return input_str.replace('"', '')
1597
1596 data = {
1598 data = {
1597 'pref': pref,
1599 'pref': pref,
1598 'cls': 'issue-tracker-link',
1600 'cls': quote_cleaner('issue-tracker-link'),
1599 'url': _url,
1601 'url': quote_cleaner(_url),
1600 'id-repr': issue_id,
1602 'id-repr': issue_id,
1601 'issue-prefix': entry['pref'],
1603 'issue-prefix': entry['pref'],
1602 'serv': entry['url'],
1604 'serv': entry['url'],
@@ -1621,8 +1623,7 b' def get_active_pattern_entries(repo_name'
1621 return active_entries
1623 return active_entries
1622
1624
1623
1625
1624 def process_patterns(text_string, repo_name, link_format='html',
1626 def process_patterns(text_string, repo_name, link_format='html', active_entries=None):
1625 active_entries=None):
1626
1627
1627 allowed_formats = ['html', 'rst', 'markdown']
1628 allowed_formats = ['html', 'rst', 'markdown']
1628 if link_format not in allowed_formats:
1629 if link_format not in allowed_formats:
@@ -1668,8 +1669,7 b' def process_patterns(text_string, repo_n'
1668 return newtext, issues_data
1669 return newtext, issues_data
1669
1670
1670
1671
1671 def urlify_commit_message(commit_text, repository=None,
1672 def urlify_commit_message(commit_text, repository=None, active_pattern_entries=None):
1672 active_pattern_entries=None):
1673 """
1673 """
1674 Parses given text message and makes proper links.
1674 Parses given text message and makes proper links.
1675 issues are linked to given issue-server, and rest is a commit link
1675 issues are linked to given issue-server, and rest is a commit link
@@ -350,18 +350,26 b' class IssueTrackerSettingsModel(object):'
350 uid = k[len(prefix_match):]
350 uid = k[len(prefix_match):]
351 issuetracker_entries[uid] = None
351 issuetracker_entries[uid] = None
352
352
353 def url_cleaner(input_str):
354 input_str = input_str.replace('"', '').replace("'", '')
355 input_str = bleach.clean(input_str, strip=True)
356 return input_str
357
353 # populate
358 # populate
354 for uid in issuetracker_entries:
359 for uid in issuetracker_entries:
360 url_data = qs.get(self._get_keyname('url', uid, 'rhodecode_'))
361
355 issuetracker_entries[uid] = AttributeDict({
362 issuetracker_entries[uid] = AttributeDict({
356 'pat': qs.get(
363 'pat': qs.get(
357 self._get_keyname('pat', uid, 'rhodecode_')),
364 self._get_keyname('pat', uid, 'rhodecode_')),
358 'url': bleach.clean(
365 'url': url_cleaner(
359 qs.get(self._get_keyname('url', uid, 'rhodecode_')) or ''),
366 qs.get(self._get_keyname('url', uid, 'rhodecode_')) or ''),
360 'pref': bleach.clean(
367 'pref': bleach.clean(
361 qs.get(self._get_keyname('pref', uid, 'rhodecode_')) or ''),
368 qs.get(self._get_keyname('pref', uid, 'rhodecode_')) or ''),
362 'desc': qs.get(
369 'desc': qs.get(
363 self._get_keyname('desc', uid, 'rhodecode_')),
370 self._get_keyname('desc', uid, 'rhodecode_')),
364 })
371 })
372
365 return issuetracker_entries
373 return issuetracker_entries
366
374
367 def get_global_settings(self, cache=False):
375 def get_global_settings(self, cache=False):
General Comments 0
You need to be logged in to leave comments. Login now