##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
security: escape flash messaged VCS errors to prevent XSS atacks.
ergo -
r1838:b8e3feed default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -67,13 +67,11 b' class ChangelogController(BaseRepoContro'
67 except EmptyRepositoryError:
67 except EmptyRepositoryError:
68 if not redirect_after:
68 if not redirect_after:
69 return None
69 return None
70 h.flash(h.literal(_('There are no commits yet')),
70 h.flash(_('There are no commits yet'), category='warning')
71 category='warning')
72 redirect(url('changelog_home', repo_name=repo.repo_name))
71 redirect(url('changelog_home', repo_name=repo.repo_name))
73 except RepositoryError as e:
72 except RepositoryError as e:
74 msg = safe_str(e)
73 log.exception(safe_str(e))
75 log.exception(msg)
74 h.flash(safe_str(h.escape(e)), category='warning')
76 h.flash(msg, category='warning')
77 if not partial:
75 if not partial:
78 redirect(h.url('changelog_home', repo_name=repo.repo_name))
76 redirect(h.url('changelog_home', repo_name=repo.repo_name))
79 raise HTTPBadRequest()
77 raise HTTPBadRequest()
@@ -113,7 +111,7 b' class ChangelogController(BaseRepoContro'
113
111
114 def _check_if_valid_branch(self, branch_name, repo_name, f_path):
112 def _check_if_valid_branch(self, branch_name, repo_name, f_path):
115 if branch_name not in c.rhodecode_repo.branches_all:
113 if branch_name not in c.rhodecode_repo.branches_all:
116 h.flash('Branch {} is not found.'.format(branch_name),
114 h.flash('Branch {} is not found.'.format(h.escape(branch_name)),
117 category='warning')
115 category='warning')
118 redirect(url('changelog_file_home', repo_name=repo_name,
116 redirect(url('changelog_file_home', repo_name=repo_name,
119 revision=branch_name, f_path=f_path or ''))
117 revision=branch_name, f_path=f_path or ''))
@@ -189,12 +187,11 b' class ChangelogController(BaseRepoContro'
189 collection, p, chunk_size, c.branch_name, dynamic=f_path)
187 collection, p, chunk_size, c.branch_name, dynamic=f_path)
190
188
191 except EmptyRepositoryError as e:
189 except EmptyRepositoryError as e:
192 h.flash(safe_str(e), category='warning')
190 h.flash(safe_str(h.escape(e)), category='warning')
193 return redirect(h.route_path('repo_summary', repo_name=repo_name))
191 return redirect(h.route_path('repo_summary', repo_name=repo_name))
194 except (RepositoryError, CommitDoesNotExistError, Exception) as e:
192 except (RepositoryError, CommitDoesNotExistError, Exception) as e:
195 msg = safe_str(e)
193 log.exception(safe_str(e))
196 log.exception(msg)
194 h.flash(safe_str(h.escape(e)), category='error')
197 h.flash(msg, category='error')
198 return redirect(url('changelog_home', repo_name=repo_name))
195 return redirect(url('changelog_home', repo_name=repo_name))
199
196
200 if (request.environ.get('HTTP_X_PARTIAL_XHR')
197 if (request.environ.get('HTTP_X_PARTIAL_XHR')
Show file before | Show file after | Hide comments
@@ -24,7 +24,7 b' Compare controller for showing differenc'
24
24
25 import logging
25 import logging
26
26
27 from webob.exc import HTTPBadRequest
27 from webob.exc import HTTPBadRequest, HTTPNotFound
28 from pylons import request, tmpl_context as c, url
28 from pylons import request, tmpl_context as c, url
29 from pylons.controllers.util import redirect
29 from pylons.controllers.util import redirect
30 from pylons.i18n.translation import _
30 from pylons.i18n.translation import _
@@ -66,9 +66,8 b' class CompareController(BaseRepoControll'
66 redirect(h.route_path('repo_summary', repo_name=repo.repo_name))
66 redirect(h.route_path('repo_summary', repo_name=repo.repo_name))
67
67
68 except RepositoryError as e:
68 except RepositoryError as e:
69 msg = safe_str(e)
69 log.exception(safe_str(e))
70 log.exception(msg)
70 h.flash(safe_str(h.escape(e)), category='warning')
71 h.flash(msg, category='warning')
72 if not partial:
71 if not partial:
73 redirect(h.route_path('repo_summary', repo_name=repo.repo_name))
72 redirect(h.route_path('repo_summary', repo_name=repo.repo_name))
74 raise HTTPBadRequest()
73 raise HTTPBadRequest()
@@ -86,6 +85,10 b' class CompareController(BaseRepoControll'
86 target_repo = request.GET.get('target_repo', source_repo)
85 target_repo = request.GET.get('target_repo', source_repo)
87 c.source_repo = Repository.get_by_repo_name(source_repo)
86 c.source_repo = Repository.get_by_repo_name(source_repo)
88 c.target_repo = Repository.get_by_repo_name(target_repo)
87 c.target_repo = Repository.get_by_repo_name(target_repo)
88
89 if c.source_repo is None or c.target_repo is None:
90 raise HTTPNotFound()
91
89 c.source_ref = c.target_ref = _('Select commit')
92 c.source_ref = c.target_ref = _('Select commit')
90 c.source_ref_type = ""
93 c.source_ref_type = ""
91 c.target_ref_type = ""
94 c.target_ref_type = ""
@@ -141,18 +144,17 b' class CompareController(BaseRepoControll'
141 target_repo = Repository.get_by_repo_name(target_repo_name)
144 target_repo = Repository.get_by_repo_name(target_repo_name)
142
145
143 if source_repo is None:
146 if source_repo is None:
144 msg = _('Could not find the original repo: %(repo)s') % {
147 log.error('Could not find the source repo: {}'
145 'repo': source_repo}
148 .format(source_repo_name))
146
149 h.flash(_('Could not find the source repo: `{}`')
147 log.error(msg)
150 .format(h.escape(source_repo_name)), category='error')
148 h.flash(msg, category='error')
149 return redirect(url('compare_home', repo_name=c.repo_name))
151 return redirect(url('compare_home', repo_name=c.repo_name))
150
152
151 if target_repo is None:
153 if target_repo is None:
152 msg = _('Could not find the other repo: %(repo)s') % {
154 log.error('Could not find the target repo: {}'
153 'repo': target_repo_name}
155 .format(source_repo_name))
154 log.error(msg)
156 h.flash(_('Could not find the target repo: `{}`')
155 h.flash(msg, category='error')
157 .format(h.escape(target_repo_name)), category='error')
156 return redirect(url('compare_home', repo_name=c.repo_name))
158 return redirect(url('compare_home', repo_name=c.repo_name))
157
159
158 source_scm = source_repo.scm_instance()
160 source_scm = source_repo.scm_instance()
Show file before | Show file after | Hide comments
@@ -107,7 +107,7 b' class FilesController(BaseRepoController'
107 h.flash(msg, category='error')
107 h.flash(msg, category='error')
108 raise HTTPNotFound()
108 raise HTTPNotFound()
109 except RepositoryError as e:
109 except RepositoryError as e:
110 h.flash(safe_str(e), category='error')
110 h.flash(safe_str(h.escape(e)), category='error')
111 raise HTTPNotFound()
111 raise HTTPNotFound()
112
112
113 def __get_filenode_or_redirect(self, repo_name, commit, path):
113 def __get_filenode_or_redirect(self, repo_name, commit, path):
@@ -128,7 +128,7 b' class FilesController(BaseRepoController'
128 h.flash(_('No such commit exists for this repository'), category='error')
128 h.flash(_('No such commit exists for this repository'), category='error')
129 raise HTTPNotFound()
129 raise HTTPNotFound()
130 except RepositoryError as e:
130 except RepositoryError as e:
131 h.flash(safe_str(e), category='error')
131 h.flash(safe_str(h.escape(e)), category='error')
132 raise HTTPNotFound()
132 raise HTTPNotFound()
133
133
134 return file_node
134 return file_node
@@ -256,7 +256,7 b' class FilesController(BaseRepoController'
256 repo_name, c.commit.raw_id, f_path)
256 repo_name, c.commit.raw_id, f_path)
257
257
258 except RepositoryError as e:
258 except RepositoryError as e:
259 h.flash(safe_str(e), category='error')
259 h.flash(safe_str(h.escape(e)), category='error')
260 raise HTTPNotFound()
260 raise HTTPNotFound()
261
261
262 if request.environ.get('HTTP_X_PJAX'):
262 if request.environ.get('HTTP_X_PJAX'):
@@ -472,9 +472,8 b' class FilesController(BaseRepoController'
472 _('Successfully deleted file `{}`').format(
472 _('Successfully deleted file `{}`').format(
473 h.escape(f_path)), category='success')
473 h.escape(f_path)), category='success')
474 except Exception:
474 except Exception:
475 msg = _('Error occurred during commit')
475 log.exception('Error during commit operation')
476 log.exception(msg)
476 h.flash(_('Error occurred during commit'), category='error')
477 h.flash(msg, category='error')
478 return redirect(url('changeset_home',
477 return redirect(url('changeset_home',
479 repo_name=c.repo_name, revision='tip'))
478 repo_name=c.repo_name, revision='tip'))
480
479
Show file before | Show file after | Hide comments
@@ -1066,7 +1066,7 b' class BaseCommit(object):'
1066 def no_node_at_path(self, path):
1066 def no_node_at_path(self, path):
1067 return NodeDoesNotExistError(
1067 return NodeDoesNotExistError(
1068 u"There is no file nor directory at the given path: "
1068 u"There is no file nor directory at the given path: "
1069 u"'%s' at commit %s" % (safe_unicode(path), self.short_id))
1069 u"`%s` at commit %s" % (safe_unicode(path), self.short_id))
1070
1070
1071 def _fix_path(self, path):
1071 def _fix_path(self, path):
1072 """
1072 """
Show file before | Show file after | Hide comments
@@ -489,7 +489,22 b' class TestCompareController(object):'
489 compare_page = ComparePage(response)
489 compare_page = ComparePage(response)
490 compare_page.contains_commits(commits=[commit1], ancestors=[commit0])
490 compare_page.contains_commits(commits=[commit1], ancestors=[commit0])
491
491
492 def test_errors_when_comparing_unknown_repo(self, backend):
492 def test_errors_when_comparing_unknown_source_repo(self, backend):
493 repo = backend.repo
494 badrepo = 'badrepo'
495
496 response = self.app.get(
497 url('compare_url',
498 repo_name=badrepo,
499 source_ref_type="rev",
500 source_ref='tip',
501 target_ref_type="rev",
502 target_ref='tip',
503 target_repo=repo.repo_name,
504 merge='1',),
505 status=404)
506
507 def test_errors_when_comparing_unknown_target_repo(self, backend):
493 repo = backend.repo
508 repo = backend.repo
494 badrepo = 'badrepo'
509 badrepo = 'badrepo'
495
510
@@ -504,7 +519,8 b' class TestCompareController(object):'
504 merge='1',),
519 merge='1',),
505 status=302)
520 status=302)
506 redirected = response.follow()
521 redirected = response.follow()
507 redirected.mustcontain('Could not find the other repo: %s' % badrepo)
522 redirected.mustcontain(
523 'Could not find the target repo: `{}`'.format(badrepo))
508
524
509 def test_compare_not_in_preview_mode(self, backend_stub):
525 def test_compare_not_in_preview_mode(self, backend_stub):
510 commit0 = backend_stub.repo.get_commit(commit_idx=0)
526 commit0 = backend_stub.repo.get_commit(commit_idx=0)
Show file before | Show file after | Hide comments
@@ -484,7 +484,7 b' class TestRawFileHandling(object):'
484
484
485 msg = (
485 msg = (
486 "There is no file nor directory at the given path: "
486 "There is no file nor directory at the given path: "
487 "'%s' at commit %s" % (f_path, commit.short_id))
487 "`%s` at commit %s" % (f_path, commit.short_id))
488 response.mustcontain(msg)
488 response.mustcontain(msg)
489
489
490 def test_raw_ok(self, backend):
490 def test_raw_ok(self, backend):
@@ -517,7 +517,7 b' class TestRawFileHandling(object):'
517 f_path=f_path), status=404)
517 f_path=f_path), status=404)
518 msg = (
518 msg = (
519 "There is no file nor directory at the given path: "
519 "There is no file nor directory at the given path: "
520 "'%s' at commit %s" % (f_path, commit.short_id))
520 "`%s` at commit %s" % (f_path, commit.short_id))
521 response.mustcontain(msg)
521 response.mustcontain(msg)
522
522
523 def test_raw_svg_should_not_be_rendered(self, backend):
523 def test_raw_svg_should_not_be_rendered(self, backend):
General Comments 0
You need to be logged in to leave comments. Login now