##// END OF EJS Templates
u » pc » rhodecode-enterprise-ce-fork-pc
RSS

Fork of rhodecode-enterprise-ce

security: fixed self-xss inside file views.
ergo -
r1810:a79ddada default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -124,9 +124,8 b' class FilesController(BaseRepoController'
124 if file_node.is_dir():
124 if file_node.is_dir():
125 raise RepositoryError('The given path is a directory')
125 raise RepositoryError('The given path is a directory')
126 except CommitDoesNotExistError:
126 except CommitDoesNotExistError:
127 msg = _('No such commit exists for this repository')
127 log.exception('No such commit exists for this repository')
128 log.exception(msg)
128 h.flash(_('No such commit exists for this repository'), category='error')
129 h.flash(msg, category='error')
130 raise HTTPNotFound()
129 raise HTTPNotFound()
131 except RepositoryError as e:
130 except RepositoryError as e:
132 h.flash(safe_str(e), category='error')
131 h.flash(safe_str(e), category='error')
@@ -450,7 +449,7 b' class FilesController(BaseRepoController'
450 c.file = self.__get_filenode_or_redirect(repo_name, c.commit, f_path)
449 c.file = self.__get_filenode_or_redirect(repo_name, c.commit, f_path)
451
450
452 c.default_message = _(
451 c.default_message = _(
453 'Deleted file %s via RhodeCode Enterprise') % (f_path)
452 'Deleted file {} via RhodeCode Enterprise').format(f_path)
454 c.f_path = f_path
453 c.f_path = f_path
455 node_path = f_path
454 node_path = f_path
456 author = c.rhodecode_user.full_contact
455 author = c.rhodecode_user.full_contact
@@ -469,8 +468,9 b' class FilesController(BaseRepoController'
469 author=author,
468 author=author,
470 )
469 )
471
470
472 h.flash(_('Successfully deleted file %s') % f_path,
471 h.flash(
473 category='success')
472 _('Successfully deleted file `{}`').format(
473 h.escape(f_path)), category='success')
474 except Exception:
474 except Exception:
475 msg = _('Error occurred during commit')
475 msg = _('Error occurred during commit')
476 log.exception(msg)
476 log.exception(msg)
@@ -503,7 +503,7 b' class FilesController(BaseRepoController'
503 c.file = self.__get_filenode_or_redirect(repo_name, c.commit, f_path)
503 c.file = self.__get_filenode_or_redirect(repo_name, c.commit, f_path)
504
504
505 c.default_message = _(
505 c.default_message = _(
506 'Deleted file %s via RhodeCode Enterprise') % (f_path)
506 'Deleted file {} via RhodeCode Enterprise').format(f_path)
507 c.f_path = f_path
507 c.f_path = f_path
508
508
509 return render('files/files_delete.mako')
509 return render('files/files_delete.mako')
@@ -537,7 +537,7 b' class FilesController(BaseRepoController'
537 return redirect(url('files_home', repo_name=c.repo_name,
537 return redirect(url('files_home', repo_name=c.repo_name,
538 revision=c.commit.raw_id, f_path=f_path))
538 revision=c.commit.raw_id, f_path=f_path))
539 c.default_message = _(
539 c.default_message = _(
540 'Edited file %s via RhodeCode Enterprise') % (f_path)
540 'Edited file {} via RhodeCode Enterprise').format(f_path)
541 c.f_path = f_path
541 c.f_path = f_path
542 old_content = c.file.content
542 old_content = c.file.content
543 sl = old_content.splitlines(1)
543 sl = old_content.splitlines(1)
@@ -575,12 +575,12 b' class FilesController(BaseRepoController'
575 parent_commit=c.commit,
575 parent_commit=c.commit,
576 )
576 )
577
577
578 h.flash(_('Successfully committed to %s') % f_path,
578 h.flash(
579 category='success')
579 _('Successfully committed changes to file `{}`').format(
580 h.escape(f_path)), category='success')
580 except Exception:
581 except Exception:
581 msg = _('Error occurred during commit')
582 log.exception('Error occurred during commit')
582 log.exception(msg)
583 h.flash(_('Error occurred during commit'), category='error')
583 h.flash(msg, category='error')
584 return redirect(url('changeset_home',
584 return redirect(url('changeset_home',
585 repo_name=c.repo_name, revision='tip'))
585 repo_name=c.repo_name, revision='tip'))
586
586
@@ -612,7 +612,7 b' class FilesController(BaseRepoController'
612 return redirect(url('files_home', repo_name=c.repo_name,
612 return redirect(url('files_home', repo_name=c.repo_name,
613 revision=c.commit.raw_id, f_path=f_path))
613 revision=c.commit.raw_id, f_path=f_path))
614 c.default_message = _(
614 c.default_message = _(
615 'Edited file %s via RhodeCode Enterprise') % (f_path)
615 'Edited file {} via RhodeCode Enterprise').format(f_path)
616 c.f_path = f_path
616 c.f_path = f_path
617
617
618 return render('files/files_edit.mako')
618 return render('files/files_edit.mako')
@@ -704,8 +704,9 b' class FilesController(BaseRepoController'
704 author=author,
704 author=author,
705 )
705 )
706
706
707 h.flash(_('Successfully committed to %s') % node_path,
707 h.flash(
708 category='success')
708 _('Successfully committed new file `{}`').format(
709 h.escape(node_path)), category='success')
709 except NonRelativePathError as e:
710 except NonRelativePathError as e:
710 h.flash(_(
711 h.flash(_(
711 'The location specified must be a relative path and must not '
712 'The location specified must be a relative path and must not '
@@ -713,11 +714,10 b' class FilesController(BaseRepoController'
713 return redirect(url('changeset_home', repo_name=c.repo_name,
714 return redirect(url('changeset_home', repo_name=c.repo_name,
714 revision='tip'))
715 revision='tip'))
715 except (NodeError, NodeAlreadyExistsError) as e:
716 except (NodeError, NodeAlreadyExistsError) as e:
716 h.flash(_(e), category='error')
717 h.flash(_(h.escape(e)), category='error')
717 except Exception:
718 except Exception:
718 msg = _('Error occurred during commit')
719 log.exception('Error occurred during commit')
719 log.exception(msg)
720 h.flash(_('Error occurred during commit'), category='error')
720 h.flash(msg, category='error')
721 return redirect(url('changeset_home',
721 return redirect(url('changeset_home',
722 repo_name=c.repo_name, revision='tip'))
722 repo_name=c.repo_name, revision='tip'))
723
723
@@ -801,7 +801,7 b' class FilesController(BaseRepoController'
801 if not use_cached_archive:
801 if not use_cached_archive:
802 # generate new archive
802 # generate new archive
803 fd, archive = tempfile.mkstemp()
803 fd, archive = tempfile.mkstemp()
804 log.debug('Creating new temp archive in %s' % (archive,))
804 log.debug('Creating new temp archive in %s', archive)
805 try:
805 try:
806 commit.archive_repo(archive, kind=fileformat, subrepos=subrepos)
806 commit.archive_repo(archive, kind=fileformat, subrepos=subrepos)
807 except ImproperArchiveTypeError:
807 except ImproperArchiveTypeError:
@@ -809,7 +809,7 b' class FilesController(BaseRepoController'
809 if archive_cache_enabled:
809 if archive_cache_enabled:
810 # if we generated the archive and we have cache enabled
810 # if we generated the archive and we have cache enabled
811 # let's use this for future
811 # let's use this for future
812 log.debug('Storing new archive in %s' % (cached_archive_path,))
812 log.debug('Storing new archive in %s', cached_archive_path)
813 shutil.move(archive, cached_archive_path)
813 shutil.move(archive, cached_archive_path)
814 archive = cached_archive_path
814 archive = cached_archive_path
815
815
Show file before | Show file after | Hide comments
@@ -758,9 +758,8 b' class TestChangingFiles:'
758 'csrf_token': csrf_token,
758 'csrf_token': csrf_token,
759 },
759 },
760 status=302)
760 status=302)
761 assert_session_flash(
761 assert_session_flash(response,
762 response, 'Successfully committed to %s'
762 'Successfully committed new file `{}`'.format(os.path.join(filename)))
763 % os.path.join(filename))
764
763
765 def test_add_file_into_repo_missing_filename(self, backend, csrf_token):
764 def test_add_file_into_repo_missing_filename(self, backend, csrf_token):
766 response = self.app.post(
765 response = self.app.post(
@@ -848,9 +847,9 b' class TestChangingFiles:'
848 'csrf_token': csrf_token,
847 'csrf_token': csrf_token,
849 },
848 },
850 status=302)
849 status=302)
851 assert_session_flash(
850 assert_session_flash(response,
852 response, 'Successfully committed to %s'
851 'Successfully committed new file `{}`'.format(
853 % os.path.join(location, filename))
852 os.path.join(location, filename)))
854
853
855 def test_edit_file_view(self, backend):
854 def test_edit_file_view(self, backend):
856 response = self.app.get(
855 response = self.app.get(
@@ -894,7 +893,7 b' class TestChangingFiles:'
894 },
893 },
895 status=302)
894 status=302)
896 assert_session_flash(
895 assert_session_flash(
897 response, 'Successfully committed to vcs/nodes.py')
896 response, 'Successfully committed changes to file `vcs/nodes.py`')
898 tip = repo.get_commit(commit_idx=-1)
897 tip = repo.get_commit(commit_idx=-1)
899 assert tip.message == 'I committed'
898 assert tip.message == 'I committed'
900
899
@@ -921,7 +920,7 b' class TestChangingFiles:'
921 },
920 },
922 status=302)
921 status=302)
923 assert_session_flash(
922 assert_session_flash(
924 response, 'Successfully committed to vcs/nodes.py')
923 response, 'Successfully committed changes to file `vcs/nodes.py`')
925 tip = repo.get_commit(commit_idx=-1)
924 tip = repo.get_commit(commit_idx=-1)
926 assert tip.message == 'Edited file vcs/nodes.py via RhodeCode Enterprise'
925 assert tip.message == 'Edited file vcs/nodes.py via RhodeCode Enterprise'
927
926
@@ -961,7 +960,7 b' class TestChangingFiles:'
961 },
960 },
962 status=302)
961 status=302)
963 assert_session_flash(
962 assert_session_flash(
964 response, 'Successfully deleted file vcs/nodes.py')
963 response, 'Successfully deleted file `vcs/nodes.py`')
965
964
966
965
967 def assert_files_in_response(response, files, params):
966 def assert_files_in_response(response, files, params):
General Comments 0
You need to be logged in to leave comments. Login now