rhodecode-enterprise-ce Commit - r1815:7cb6e1ce

security: use new safe escaped user attributes across the application....

ergo -

r1815:7cb6e1ce default

parent child

rhodecode/apps/admin/views/users.py

0 +2 -2

                         users_data.append({
                             "username": h.gravatar_with_user(user.username),
                             "email": user.email,
-                            "first_name": h.escape(user.name),
+                            "first_name": user.first_name,
-                            "last_name": h.escape(user.lastname),
+                            "last_name": user.last_name,
                             "last_login": h.format_date(user.last_login),
                             "last_activity": h.format_date(user.last_activity),
                             "active": h.bool2icon(user.active),

rhodecode/apps/home/tests/test_home.py

0 +2 -2

                     user_util.create_repo(owner=username)
                     response = self.app.get(route_path('home'))
-                    response.mustcontain(h.html_escape(h.escape(user.name)))
+                    response.mustcontain(h.html_escape(user.first_name))
-                    response.mustcontain(h.html_escape(h.escape(user.lastname)))
+                    response.mustcontain(h.html_escape(user.last_name))
                 @pytest.mark.parametrize("name, state", [
                     ('Disabled', False),

rhodecode/apps/repository/utils.py

0 +2 -2

                     'reasons': reasons or [],
                     'mandatory': mandatory,
                     'username': user.username,
-                    'firstname': user.firstname,
+                    'first_name': user.first_name,
-                    'lastname': user.lastname,
+                    'last_name': user.last_name,
                     'gravatar_link': h.gravatar_url(user.email, 14),
                 }

rhodecode/controllers/admin/user_groups.py

0 +2 -2

                     group_members = [
                         {
                             'id': user.user_id,
-                            'first_name': user.name,
+                            'first_name': user.first_name,
-                            'last_name': user.lastname,
+                            'last_name': user.last_name,
                             'username': user.username,
                             'icon_link': h.gravatar_url(user.email, 30),
                             'value_display': h.person(user.email),

rhodecode/controllers/pullrequests.py

0 +1 -2

             """
             pull requests controller for rhodecode for initializing pull requests
             """
-            import types
             import peppercorn
             import formencode
             import logging
             from pylons.controllers.util import redirect
             from pylons.i18n.translation import _
             from pyramid.threadlocal import get_current_registry
+            from pyramid.httpexceptions import HTTPFound
             from sqlalchemy.sql import func
             from sqlalchemy.sql.expression import or_

rhodecode/lib/auth.py

0 +2 0

                     self.ip_addr = ip_addr
                     self.name = ''
                     self.lastname = ''
+                    self.first_name = ''
+                    self.last_name = ''
                     self.email = ''
                     self.is_authenticated = False
                     self.admin = False

rhodecode/lib/channelstream.py

0 +2 -2

                 return {
                     'id': user.user_id,
                     'username': user.username,
-                    'first_name': user.name,
+                    'first_name': user.first_name,
-                    'last_name': user.lastname,
+                    'last_name': user.last_name,
                     'icon_link': h.gravatar_url(user.email, 60),
                     'display_name': h.person(user, 'username_or_name_or_email'),
                     'display_link': h.link_to_user(user),

rhodecode/lib/helpers.py

0 +4 -4

                 if email:
                     user = User.get_by_email(email, case_insensitive=True, cache=True)
                     if user:
-                        if user.firstname or user.lastname:
+                        if user.first_name or user.last_name:
                             return '%s %s &lt;%s&gt;' % (
-                                escape(user.firstname), escape(user.lastname), email)
+                                user.first_name, user.last_name, email)
                         else:
                             return email
                     else:
                     # first push the email initials
                     prefix, server = email_address.split('@', 1)
-                    # check if prefix is maybe a 'firstname.lastname' syntax
+                    # check if prefix is maybe a 'first_name.last_name' syntax
                     _dot_split = prefix.rsplit('.', 1)
                     if len(_dot_split) == 2:
                         initials = [_dot_split[0][0], _dot_split[1][0]]
                     else:
                         initials = [prefix[0], server[0]]
-                    # then try to replace either firtname or lastname
+                    # then try to replace either first_name or last_name
                     fn_letter = (first_name or " ")[0].strip()
                     ln_letter = (last_name.split(' ', 1)[-1] or " ")[0].strip()

rhodecode/model/db.py

0 +12 -8

                 @hybrid_property
                 def first_name(self):
                     from rhodecode.lib import helpers as h
-                    return h.escape(self.name)
+                    if self.name:
+                        return h.escape(self.name)
+                    return self.name
                 @hybrid_property
                 def last_name(self):
                     from rhodecode.lib import helpers as h
-                    return h.escape(self.lastname)
+                    if self.lastname:
+                        return h.escape(self.lastname)
+                    return self.lastname
                 @hybrid_property
                 def api_key(self):
                 @property
                 def username_and_name(self):
-                    return '%s (%s %s)' % (self.username, self.firstname, self.lastname)
+                    return '%s (%s %s)' % (self.username, self.first_name, self.last_name)
                 @property
                 def username_or_name_or_email(self):
                 @property
                 def full_name(self):
-                    return '%s %s' % (self.firstname, self.lastname)
+                    return '%s %s' % (self.first_name, self.last_name)
                 @property
                 def full_name_or_username(self):
-                    return ('%s %s' % (self.firstname, self.lastname)
+                    return ('%s %s' % (self.first_name, self.last_name)
-                            if (self.firstname and self.lastname) else self.username)
+                            if (self.first_name and self.last_name) else self.username)
                 @property
                 def full_contact(self):
-                    return '%s %s <%s>' % (self.firstname, self.lastname, self.email)
+                    return '%s %s <%s>' % (self.first_name, self.last_name, self.email)
                 @property
                 def short_contact(self):
-                    return '%s %s' % (self.firstname, self.lastname)
+                    return '%s %s' % (self.first_name, self.last_name)
                 @property
                 def is_admin(self):

rhodecode/model/pull_request.py

0 +2 -2

                         'user': {
                             'user_id': repo.user.user_id,
                             'username': repo.user.username,
-                            'firstname': repo.user.firstname,
+                            'firstname': repo.user.first_name,
-                            'lastname': repo.user.lastname,
+                            'lastname': repo.user.last_name,
                             'gravatar_link': h.gravatar_url(repo.user.email, 14),
                         },
                         'description': h.chop_at_smart(repo.description, '\n'),

rhodecode/model/user.py

0 +7 -2

                     return {
                         'id': user.user_id,
-                        'first_name': h.escape(user.name),
+                        'first_name': user.first_name,
-                        'last_name': h.escape(user.lastname),
+                        'last_name': user.last_name,
                         'username': user.username,
                         'email': user.email,
                         'icon_link': h.gravatar_url(user.email, 30),
                         # TODO: johbo: Think about this and find a clean solution
                         user_data = dbuser.get_dict()
                         user_data.update(dbuser.get_api_data(include_secrets=True))
+                        user_data.update({
+                            # set explicit the safe escaped values
+                            'first_name': dbuser.first_name,
+                            'last_name': dbuser.last_name,
+                        })
                         for k, v in user_data.iteritems():
                             # properties of auth user we dont update

rhodecode/public/js/src/rhodecode/pullrequests.js

0 +2 -2

                             for (var i = 0; i < data.reviewers.length; i++) {
                               var reviewer = data.reviewers[i];
                               self.addReviewMember(
-                                  reviewer.user_id, reviewer.firstname,
+                                  reviewer.user_id, reviewer.first_name,
-                                  reviewer.lastname, reviewer.username,
+                                  reviewer.last_name, reviewer.username,
                                   reviewer.gravatar_link, reviewer.reasons,
                                   reviewer.mandatory);
                             }

rhodecode/templates/admin/my_account/my_account_profile.mako

0 +2 -2

                             ${_('First Name')}:
                         </div>
                         <div class="right-content">
-                            ${c.user.firstname}
+                            ${c.user.first_name}
                         </div>
                     </div>
                     <div class="fieldset">
                             ${_('Last Name')}:
                         </div>
                         <div class="right-content">
-                            ${c.user.lastname}
+                            ${c.user.last_name}
                         </div>
                     </div>
                     <div class="fieldset">

rhodecode/templates/base/root.mako

0 +2 -2

                 c.template_context['rhodecode_user']['username'] = c.rhodecode_user.username
                 c.template_context['rhodecode_user']['email'] = c.rhodecode_user.email
                 c.template_context['rhodecode_user']['notification_status'] = c.rhodecode_user.get_instance().user_data.get('notification_status', True)
-                c.template_context['rhodecode_user']['first_name'] = c.rhodecode_user.name
+                c.template_context['rhodecode_user']['first_name'] = c.rhodecode_user.first_name
-                c.template_context['rhodecode_user']['last_name'] = c.rhodecode_user.lastname
+                c.template_context['rhodecode_user']['last_name'] = c.rhodecode_user.last_name
             c.template_context['visual']['default_renderer'] = h.get_visual_attr(c, 'default_renderer')
             c.template_context['default_user'] = {

rhodecode/templates/email_templates/user_registration.mako

0 +2 -2

             A new user `${user.username}` has registered on ${h.format_date(date)}
             - Username: ${user.username}
-            - Full Name: ${user.firstname} ${user.lastname}
+            - Full Name: ${user.first_name} ${user.last_name}
             - Email: ${user.email}
             - Profile link: ${h.route_url('user_profile', username=user.username)}
             <table style="text-align:left;vertical-align:middle;">
                 <tr><td colspan="2" style="width:100%;padding-bottom:15px;border-bottom:1px solid #dbd9da;"><h4><a href="${h.route_url('user_profile', username=user.username)}" style="color:#427cc9;text-decoration:none;cursor:pointer">${_('New user %(user)s has registered on %(date)s') % {'user': user.username, 'date': h.format_date(date)}}</a></h4></td></tr>
                 <tr><td style="padding-right:20px;padding-top:20px;">${_('Username')}</td><td style="line-height:1;padding-top:20px;"><img style="margin-bottom:-5px;text-align:left;border:1px solid #dbd9da" src="${h.gravatar_url(user.email, 16)}" height="16" width="16">&nbsp;${user.username}</td></tr>
-                <tr><td style="padding-right:20px;">${_('Full Name')}</td><td>${user.firstname} ${user.lastname}</td></tr>
+                <tr><td style="padding-right:20px;">${_('Full Name')}</td><td>${user.first_name} ${user.last_name}</td></tr>
                 <tr><td style="padding-right:20px;">${_('Email')}</td><td>${user.email}</td></tr>
                 <tr><td style="padding-right:20px;">${_('Profile')}</td><td><a href="${h.route_url('user_profile', username=user.username)}">${h.route_url('user_profile', username=user.username)}</a></td></tr>
             </table>

rhodecode/templates/users/user_profile.mako

0 +2 -2

                             ${_('First name')}:
                         </div>
                         <div class="right-content">
-                            ${c.user.firstname}
+                            ${c.user.first_name}
                         </div>
                     </div>
                     <div class="fieldset">
                             ${_('Last name')}:
                         </div>
                         <div class="right-content">
-                            ${c.user.lastname}
+                            ${c.user.last_name}
                         </div>
                     </div>
                     <div class="fieldset">

rhodecode/tests/functional/test_admin_gists.py

0 +2 -5

                 def test_user_first_name_is_escaped(self, user_util, create_gist):
                     xss_atack_string = '"><script>alert(\'First Name\')</script>'
-                    xss_escaped_string = (
+                    xss_escaped_string = h.html_escape(h.escape(xss_atack_string))
-                        '&#34;&gt;&lt;script&gt;alert(&#39;First Name&#39;)&lt;/script'
-                        '&gt;')
                     password = 'test'
                     user = user_util.create_user(
                         firstname=xss_atack_string, password=password)
                 def test_user_last_name_is_escaped(self, user_util, create_gist):
                     xss_atack_string = '"><script>alert(\'Last Name\')</script>'
-                    xss_escaped_string = (
+                    xss_escaped_string = h.html_escape(h.escape(xss_atack_string))
-                        '&#34;&gt;&lt;script&gt;alert(&#39;Last Name&#39;)&lt;/script&gt;')
                     password = 'test'
                     user = user_util.create_user(
                         lastname=xss_atack_string, password=password)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages