##// END OF EJS Templates
security: use new safe escaped user attributes across the application....
ergo -
r1815:7cb6e1ce default
parent child Browse files
Show More
@@ -127,8 +127,8 b' class AdminUsersView(BaseAppView, DataGr'
127 127 users_data.append({
128 128 "username": h.gravatar_with_user(user.username),
129 129 "email": user.email,
130 "first_name": h.escape(user.name),
131 "last_name": h.escape(user.lastname),
130 "first_name": user.first_name,
131 "last_name": user.last_name,
132 132 "last_login": h.format_date(user.last_login),
133 133 "last_activity": h.format_date(user.last_activity),
134 134 "active": h.bool2icon(user.active),
@@ -111,8 +111,8 b' class TestHomeController(TestController)'
111 111 user_util.create_repo(owner=username)
112 112
113 113 response = self.app.get(route_path('home'))
114 response.mustcontain(h.html_escape(h.escape(user.name)))
115 response.mustcontain(h.html_escape(h.escape(user.lastname)))
114 response.mustcontain(h.html_escape(user.first_name))
115 response.mustcontain(h.html_escape(user.last_name))
116 116
117 117 @pytest.mark.parametrize("name, state", [
118 118 ('Disabled', False),
@@ -36,8 +36,8 b' def reviewer_as_json(user, reasons=None,'
36 36 'reasons': reasons or [],
37 37 'mandatory': mandatory,
38 38 'username': user.username,
39 'firstname': user.firstname,
40 'lastname': user.lastname,
39 'first_name': user.first_name,
40 'last_name': user.last_name,
41 41 'gravatar_link': h.gravatar_url(user.email, 14),
42 42 }
43 43
@@ -493,8 +493,8 b' class UserGroupsController(BaseControlle'
493 493 group_members = [
494 494 {
495 495 'id': user.user_id,
496 'first_name': user.name,
497 'last_name': user.lastname,
496 'first_name': user.first_name,
497 'last_name': user.last_name,
498 498 'username': user.username,
499 499 'icon_link': h.gravatar_url(user.email, 30),
500 500 'value_display': h.person(user.email),
@@ -21,8 +21,6 b''
21 21 """
22 22 pull requests controller for rhodecode for initializing pull requests
23 23 """
24 import types
25
26 24 import peppercorn
27 25 import formencode
28 26 import logging
@@ -33,6 +31,7 b' from pylons import request, tmpl_context'
33 31 from pylons.controllers.util import redirect
34 32 from pylons.i18n.translation import _
35 33 from pyramid.threadlocal import get_current_registry
34 from pyramid.httpexceptions import HTTPFound
36 35 from sqlalchemy.sql import func
37 36 from sqlalchemy.sql.expression import or_
38 37
@@ -807,6 +807,8 b' class AuthUser(object):'
807 807 self.ip_addr = ip_addr
808 808 self.name = ''
809 809 self.lastname = ''
810 self.first_name = ''
811 self.last_name = ''
810 812 self.email = ''
811 813 self.is_authenticated = False
812 814 self.admin = False
@@ -77,8 +77,8 b' def get_user_data(user_id):'
77 77 return {
78 78 'id': user.user_id,
79 79 'username': user.username,
80 'first_name': user.name,
81 'last_name': user.lastname,
80 'first_name': user.first_name,
81 'last_name': user.last_name,
82 82 'icon_link': h.gravatar_url(user.email, 60),
83 83 'display_name': h.person(user, 'username_or_name_or_email'),
84 84 'display_link': h.link_to_user(user),
@@ -893,9 +893,9 b' def author_string(email):'
893 893 if email:
894 894 user = User.get_by_email(email, case_insensitive=True, cache=True)
895 895 if user:
896 if user.firstname or user.lastname:
896 if user.first_name or user.last_name:
897 897 return '%s %s <%s>' % (
898 escape(user.firstname), escape(user.lastname), email)
898 user.first_name, user.last_name, email)
899 899 else:
900 900 return email
901 901 else:
@@ -1144,14 +1144,14 b' class InitialsGravatar(object):'
1144 1144 # first push the email initials
1145 1145 prefix, server = email_address.split('@', 1)
1146 1146
1147 # check if prefix is maybe a 'firstname.lastname' syntax
1147 # check if prefix is maybe a 'first_name.last_name' syntax
1148 1148 _dot_split = prefix.rsplit('.', 1)
1149 1149 if len(_dot_split) == 2:
1150 1150 initials = [_dot_split[0][0], _dot_split[1][0]]
1151 1151 else:
1152 1152 initials = [prefix[0], server[0]]
1153 1153
1154 # then try to replace either firtname or lastname
1154 # then try to replace either first_name or last_name
1155 1155 fn_letter = (first_name or " ")[0].strip()
1156 1156 ln_letter = (last_name.split(' ', 1)[-1] or " ")[0].strip()
1157 1157
@@ -574,12 +574,16 b' class User(Base, BaseModel):'
574 574 @hybrid_property
575 575 def first_name(self):
576 576 from rhodecode.lib import helpers as h
577 if self.name:
577 578 return h.escape(self.name)
579 return self.name
578 580
579 581 @hybrid_property
580 582 def last_name(self):
581 583 from rhodecode.lib import helpers as h
584 if self.lastname:
582 585 return h.escape(self.lastname)
586 return self.lastname
583 587
584 588 @hybrid_property
585 589 def api_key(self):
@@ -700,7 +704,7 b' class User(Base, BaseModel):'
700 704
701 705 @property
702 706 def username_and_name(self):
703 return '%s (%s %s)' % (self.username, self.firstname, self.lastname)
707 return '%s (%s %s)' % (self.username, self.first_name, self.last_name)
704 708
705 709 @property
706 710 def username_or_name_or_email(self):
@@ -709,20 +713,20 b' class User(Base, BaseModel):'
709 713
710 714 @property
711 715 def full_name(self):
712 return '%s %s' % (self.firstname, self.lastname)
716 return '%s %s' % (self.first_name, self.last_name)
713 717
714 718 @property
715 719 def full_name_or_username(self):
716 return ('%s %s' % (self.firstname, self.lastname)
717 if (self.firstname and self.lastname) else self.username)
720 return ('%s %s' % (self.first_name, self.last_name)
721 if (self.first_name and self.last_name) else self.username)
718 722
719 723 @property
720 724 def full_contact(self):
721 return '%s %s <%s>' % (self.firstname, self.lastname, self.email)
725 return '%s %s <%s>' % (self.first_name, self.last_name, self.email)
722 726
723 727 @property
724 728 def short_contact(self):
725 return '%s %s' % (self.firstname, self.lastname)
729 return '%s %s' % (self.first_name, self.last_name)
726 730
727 731 @property
728 732 def is_admin(self):
@@ -1291,8 +1291,8 b' class PullRequestModel(BaseModel):'
1291 1291 'user': {
1292 1292 'user_id': repo.user.user_id,
1293 1293 'username': repo.user.username,
1294 'firstname': repo.user.firstname,
1295 'lastname': repo.user.lastname,
1294 'firstname': repo.user.first_name,
1295 'lastname': repo.user.last_name,
1296 1296 'gravatar_link': h.gravatar_url(repo.user.email, 14),
1297 1297 },
1298 1298 'description': h.chop_at_smart(repo.description, '\n'),
@@ -70,8 +70,8 b' class UserModel(BaseModel):'
70 70
71 71 return {
72 72 'id': user.user_id,
73 'first_name': h.escape(user.name),
74 'last_name': h.escape(user.lastname),
73 'first_name': user.first_name,
74 'last_name': user.last_name,
75 75 'username': user.username,
76 76 'email': user.email,
77 77 'icon_link': h.gravatar_url(user.email, 30),
@@ -679,6 +679,11 b' class UserModel(BaseModel):'
679 679 # TODO: johbo: Think about this and find a clean solution
680 680 user_data = dbuser.get_dict()
681 681 user_data.update(dbuser.get_api_data(include_secrets=True))
682 user_data.update({
683 # set explicit the safe escaped values
684 'first_name': dbuser.first_name,
685 'last_name': dbuser.last_name,
686 })
682 687
683 688 for k, v in user_data.iteritems():
684 689 # properties of auth user we dont update
@@ -227,8 +227,8 b' ReviewersController = function () {'
227 227 for (var i = 0; i < data.reviewers.length; i++) {
228 228 var reviewer = data.reviewers[i];
229 229 self.addReviewMember(
230 reviewer.user_id, reviewer.firstname,
231 reviewer.lastname, reviewer.username,
230 reviewer.user_id, reviewer.first_name,
231 reviewer.last_name, reviewer.username,
232 232 reviewer.gravatar_link, reviewer.reasons,
233 233 reviewer.mandatory);
234 234 }
@@ -32,7 +32,7 b''
32 32 ${_('First Name')}:
33 33 </div>
34 34 <div class="right-content">
35 ${c.user.firstname}
35 ${c.user.first_name}
36 36 </div>
37 37 </div>
38 38 <div class="fieldset">
@@ -40,7 +40,7 b''
40 40 ${_('Last Name')}:
41 41 </div>
42 42 <div class="right-content">
43 ${c.user.lastname}
43 ${c.user.last_name}
44 44 </div>
45 45 </div>
46 46 <div class="fieldset">
@@ -12,8 +12,8 b" if getattr(c, 'rhodecode_user', None) an"
12 12 c.template_context['rhodecode_user']['username'] = c.rhodecode_user.username
13 13 c.template_context['rhodecode_user']['email'] = c.rhodecode_user.email
14 14 c.template_context['rhodecode_user']['notification_status'] = c.rhodecode_user.get_instance().user_data.get('notification_status', True)
15 c.template_context['rhodecode_user']['first_name'] = c.rhodecode_user.name
16 c.template_context['rhodecode_user']['last_name'] = c.rhodecode_user.lastname
15 c.template_context['rhodecode_user']['first_name'] = c.rhodecode_user.first_name
16 c.template_context['rhodecode_user']['last_name'] = c.rhodecode_user.last_name
17 17
18 18 c.template_context['visual']['default_renderer'] = h.get_visual_attr(c, 'default_renderer')
19 19 c.template_context['default_user'] = {
@@ -10,7 +10,7 b' RhodeCode new user registration: ${user.'
10 10 A new user `${user.username}` has registered on ${h.format_date(date)}
11 11
12 12 - Username: ${user.username}
13 - Full Name: ${user.firstname} ${user.lastname}
13 - Full Name: ${user.first_name} ${user.last_name}
14 14 - Email: ${user.email}
15 15 - Profile link: ${h.route_url('user_profile', username=user.username)}
16 16
@@ -21,7 +21,7 b' A new user `${user.username}` has regist'
21 21 <table style="text-align:left;vertical-align:middle;">
22 22 <tr><td colspan="2" style="width:100%;padding-bottom:15px;border-bottom:1px solid #dbd9da;"><h4><a href="${h.route_url('user_profile', username=user.username)}" style="color:#427cc9;text-decoration:none;cursor:pointer">${_('New user %(user)s has registered on %(date)s') % {'user': user.username, 'date': h.format_date(date)}}</a></h4></td></tr>
23 23 <tr><td style="padding-right:20px;padding-top:20px;">${_('Username')}</td><td style="line-height:1;padding-top:20px;"><img style="margin-bottom:-5px;text-align:left;border:1px solid #dbd9da" src="${h.gravatar_url(user.email, 16)}" height="16" width="16">&nbsp;${user.username}</td></tr>
24 <tr><td style="padding-right:20px;">${_('Full Name')}</td><td>${user.firstname} ${user.lastname}</td></tr>
24 <tr><td style="padding-right:20px;">${_('Full Name')}</td><td>${user.first_name} ${user.last_name}</td></tr>
25 25 <tr><td style="padding-right:20px;">${_('Email')}</td><td>${user.email}</td></tr>
26 26 <tr><td style="padding-right:20px;">${_('Profile')}</td><td><a href="${h.route_url('user_profile', username=user.username)}">${h.route_url('user_profile', username=user.username)}</a></td></tr>
27 27 </table> No newline at end of file
@@ -35,7 +35,7 b''
35 35 ${_('First name')}:
36 36 </div>
37 37 <div class="right-content">
38 ${c.user.firstname}
38 ${c.user.first_name}
39 39 </div>
40 40 </div>
41 41 <div class="fieldset">
@@ -43,7 +43,7 b''
43 43 ${_('Last name')}:
44 44 </div>
45 45 <div class="right-content">
46 ${c.user.lastname}
46 ${c.user.last_name}
47 47 </div>
48 48 </div>
49 49 <div class="fieldset">
@@ -336,9 +336,7 b' class TestGistsController(TestController'
336 336
337 337 def test_user_first_name_is_escaped(self, user_util, create_gist):
338 338 xss_atack_string = '"><script>alert(\'First Name\')</script>'
339 xss_escaped_string = (
340 '&#34;&gt;&lt;script&gt;alert(&#39;First Name&#39;)&lt;/script'
341 '&gt;')
339 xss_escaped_string = h.html_escape(h.escape(xss_atack_string))
342 340 password = 'test'
343 341 user = user_util.create_user(
344 342 firstname=xss_atack_string, password=password)
@@ -348,8 +346,7 b' class TestGistsController(TestController'
348 346
349 347 def test_user_last_name_is_escaped(self, user_util, create_gist):
350 348 xss_atack_string = '"><script>alert(\'Last Name\')</script>'
351 xss_escaped_string = (
352 '&#34;&gt;&lt;script&gt;alert(&#39;Last Name&#39;)&lt;/script&gt;')
349 xss_escaped_string = h.html_escape(h.escape(xss_atack_string))
353 350 password = 'test'
354 351 user = user_util.create_user(
355 352 lastname=xss_atack_string, password=password)
General Comments 0
You need to be logged in to leave comments. Login now