##// END OF EJS Templates
u » pc » rhodecode-enterprise-ce-fork-pc
RSS

Fork of rhodecode-enterprise-ce

security: fix possible XSS in the issue tracker URL.
marcink -
r3439:1755b780 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1547,8 +1547,7 b' def urlify_commits(text_, repository):'
1547 1547 return tmpl % {
1548 1548 'pref': pref,
1549 1549 'cls': 'revision-link',
1550 'url': route_url('repo_commit', repo_name=repository,
1551 commit_id=commit_id),
1550 'url': route_url('repo_commit', repo_name=repository, commit_id=commit_id),
1552 1551 'commit_id': commit_id,
1553 1552 'suf': suf
1554 1553 }
@@ -1579,8 +1578,7 b' def _process_url_func(match_obj, repo_na'
1579 1578 raise ValueError('Bad link_format:{}'.format(link_format))
1580 1579
1581 1580 (repo_name_cleaned,
1582 parent_group_name) = RepoGroupModel().\
1583 _get_group_name_and_parent(repo_name)
1581 parent_group_name) = RepoGroupModel()._get_group_name_and_parent(repo_name)
1584 1582
1585 1583 # variables replacement
1586 1584 named_vars = {
@@ -1593,10 +1591,14 b' def _process_url_func(match_obj, repo_na'
1593 1591 named_vars.update(match_obj.groupdict())
1594 1592 _url = string.Template(entry['url']).safe_substitute(**named_vars)
1595 1593
1594 def quote_cleaner(input_str):
1595 """Remove quotes as it's HTML"""
1596 return input_str.replace('"', '')
1597
1596 1598 data = {
1597 1599 'pref': pref,
1598 'cls': 'issue-tracker-link',
1599 'url': _url,
1600 'cls': quote_cleaner('issue-tracker-link'),
1601 'url': quote_cleaner(_url),
1600 1602 'id-repr': issue_id,
1601 1603 'issue-prefix': entry['pref'],
1602 1604 'serv': entry['url'],
@@ -1621,8 +1623,7 b' def get_active_pattern_entries(repo_name'
1621 1623 return active_entries
1622 1624
1623 1625
1624 def process_patterns(text_string, repo_name, link_format='html',
1625 active_entries=None):
1626 def process_patterns(text_string, repo_name, link_format='html', active_entries=None):
1626 1627
1627 1628 allowed_formats = ['html', 'rst', 'markdown']
1628 1629 if link_format not in allowed_formats:
@@ -1668,8 +1669,7 b' def process_patterns(text_string, repo_n'
1668 1669 return newtext, issues_data
1669 1670
1670 1671
1671 def urlify_commit_message(commit_text, repository=None,
1672 active_pattern_entries=None):
1672 def urlify_commit_message(commit_text, repository=None, active_pattern_entries=None):
1673 1673 """
1674 1674 Parses given text message and makes proper links.
1675 1675 issues are linked to given issue-server, and rest is a commit link
Show file before | Show file after | Hide comments
@@ -350,18 +350,26 b' class IssueTrackerSettingsModel(object):'
350 350 uid = k[len(prefix_match):]
351 351 issuetracker_entries[uid] = None
352 352
353 def url_cleaner(input_str):
354 input_str = input_str.replace('"', '').replace("'", '')
355 input_str = bleach.clean(input_str, strip=True)
356 return input_str
357
353 358 # populate
354 359 for uid in issuetracker_entries:
360 url_data = qs.get(self._get_keyname('url', uid, 'rhodecode_'))
361
355 362 issuetracker_entries[uid] = AttributeDict({
356 363 'pat': qs.get(
357 364 self._get_keyname('pat', uid, 'rhodecode_')),
358 'url': bleach.clean(
365 'url': url_cleaner(
359 366 qs.get(self._get_keyname('url', uid, 'rhodecode_')) or ''),
360 367 'pref': bleach.clean(
361 368 qs.get(self._get_keyname('pref', uid, 'rhodecode_')) or ''),
362 369 'desc': qs.get(
363 370 self._get_keyname('desc', uid, 'rhodecode_')),
364 371 })
372
365 373 return issuetracker_entries
366 374
367 375 def get_global_settings(self, cache=False):
General Comments 0
You need to be logged in to leave comments. Login now