rhodecode-enterprise-ce Commit - r1780:73cbe636

security: escape always the provided user data like firstname/lastname.

marcink -

r1780:73cbe636 default

parent child

rhodecode/model/user.py

0 +9 -9

              import ipaddress
              from sqlalchemy.exc import DatabaseError
-             from sqlalchemy.sql.expression import true, false
              from rhodecode import events
              from rhodecode.lib.user_log_filter import user_log_filter
              from rhodecode.lib.utils2 import (
                  safe_unicode, get_current_rhodecode_user, action_logger_generic,
                  AttributeDict, str2bool)
+             from rhodecode.lib.exceptions import (
+                 DefaultUserException, UserOwnsReposException, UserOwnsRepoGroupsException,
+                 UserOwnsUserGroupsException, NotAllowedToCreateUserError)
              from rhodecode.lib.caching_query import FromCache
              from rhodecode.model import BaseModel
              from rhodecode.model.auth_token import AuthTokenModel
-             from rhodecode.model.db import (_hash_key,
-                 or_, joinedload, User, UserToPerm, UserEmailMap, UserIpMap, UserLog)
-             from rhodecode.lib.exceptions import (
-                 DefaultUserException, UserOwnsReposException, UserOwnsRepoGroupsException,
-                 UserOwnsUserGroupsException, NotAllowedToCreateUserError)
+             from rhodecode.model.db import (
+                 _hash_key, true, false, or_, joinedload, User, UserToPerm,
+                 UserEmailMap, UserIpMap, UserLog)
              from rhodecode.model.meta import Session
              from rhodecode.model.repo_group import RepoGroupModel
                      return {
                          'id': user.user_id,
-                         'first_name': user.name,
-                         'last_name': user.lastname,
+                         'first_name': h.escape(user.name),
+                         'last_name': h.escape(user.lastname),
                          'username': user.username,
                          'email': user.email,
                          'icon_link': h.gravatar_url(user.email, 30),
-                         'value_display': h.person(user),
+                         'value_display': h.escape(h.person(user)),
                          'value': user.username,
                          'value_type': 'user',
                          'active': user.active,

rhodecode/model/user_group.py

0 +5 -4

              import traceback
              from rhodecode.lib.utils2 import safe_str, safe_unicode
+             from rhodecode.lib.exceptions import (
+                 UserGroupAssignedException, RepoGroupAssignmentError)
+             from rhodecode.lib.utils2 import (
+                 get_current_rhodecode_user, action_logger_generic)
              from rhodecode.model import BaseModel
              from rhodecode.model.scm import UserGroupList
              from rhodecode.model.db import (
                  true, func, User, UserGroupMember, UserGroup,
                  UserGroupRepoToPerm, Permission, UserGroupToPerm, UserUserGroupToPerm,
                  UserGroupUserGroupToPerm, UserGroupRepoGroupToPerm)
-             from rhodecode.lib.exceptions import (
-                 UserGroupAssignedException, RepoGroupAssignmentError)
-             from rhodecode.lib.utils2 import (
-                 get_current_rhodecode_user, action_logger_generic)
              log = logging.getLogger(__name__)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages