u/pc/rhodecode-enterprise-ce-fork-pc Commit - r2160:844c2584

files: prevent XSS in fake errors message on filenodes.

marcink -

r2160:844c2584 default

parent child

rhodecode/apps/repository/views/repo_files.py

0 +5 -3

                         commit_id, ext, fileformat, content_type = \
                             self._get_archive_spec(fname)
                     except ValueError:
-                        return Response(_('Unknown archive type for: `{}`').format(fname))
+                        return Response(_('Unknown archive type for: `{}`').format(
+                            h.escape(fname)))
                     try:
                         commit = self.rhodecode_vcs_repo.get_commit(commit_id)
                     except CommitDoesNotExistError:
-                        return Response(_('Unknown commit_id %s') % commit_id)
+                        return Response(_('Unknown commit_id {}').format(
+                            h.escape(commit_id)))
                     except EmptyRepositoryError:
                         return Response(_('Empty repository'))
                     try:
                         dir_node = commit.get_node(f_path)
                     except RepositoryError as e:
-                        return Response('error: {}'.format(safe_str(e)))
+                        return Response('error: {}'.format(h.escape(safe_str(e))))
                     if dir_node.is_file():
                         return Response('')

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages