Launchpad itself

Merge lp:~rharding/launchpad/xss_911632 into lp:launchpad

xss_911632
Merge into devel

Proposed by Richard Harding on 2012-01-04

Status:

Merged

Approved by:

Richard Harding on 2012-01-05

Approved revision:

no longer in the source branch.

Merged at revision:

14642

Proposed branch:

lp:~rharding/launchpad/xss_911632

Merge into:

lp:launchpad

Diff against target:

21 lines (+2/-2)

1 file modified

lib/lp/code/browser/branchlisting.py (+2/-2)

To merge this branch:

bzr merge lp:~rharding/launchpad/xss_911632

Critical

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Aaron Bentley (community)		2012-01-04	Approve on 2012-01-04
Review via email: mp+87507@code.launchpad.net

Commit Message

[r=abentley][bug=911632] Fix template to escape output of no branch message.

Description of the Change

= Summary =
A user discovered that there was a XSS script avenue in the code branch listing page for a user.

== Proposed Fix ==
The template was using a content:structure that prevented escaping of the html entities.

== Implementation Details ==
In searching, no one implementing the no_branch_message had any html in the constructed message. The structure was just removed to allow for escaping to take place at the template level.

== Tests ==
./bin/test -cvvt test_branchlisting

== Demo and Q/A ==
A user's full name needs to be changed to "'/><script>alert(true);</script>. Then you need to load up the user's code.launchpad.net page. Make sure there are no branches in the table view by changing the status filter until you trigger the "no branch message". The output should be escaped.

Aaron Bentley (abentley) wrote on 2012-01-04:

I'd prefer it if this used getViewBrowser, as it's simpler. But either way works.

review: Approve

Richard Harding (rharding) wrote on 2012-01-05:

Need to remove link from ProductBranchListingView and ProjectBranchesView alternate messages in order to prevent breaking those urls.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to status/vote changes:

Tzaddi

Tzaddi Belding

1	=== modified file 'lib/lp/code/browser/branchlisting.py'
2	--- lib/lp/code/browser/branchlisting.py 2012-01-01 02:58:52 +0000
3	+++ lib/lp/code/browser/branchlisting.py 2012-01-05 13:24:31 +0000
4	@@ -1240,7 +1240,7 @@
5	message = (
6	'There are no branches registered for %s '
7	'in Launchpad today. We recommend you visit '
8	- '<a href="http://www.bazaar-vcs.org">www.bazaar-vcs.org</a> '
9	+ 'www.bazaar-vcs.org '
10	'for more information about how you can use the Bazaar '
11	'revision control system to improve community participation '
12	'in this project.')
13	@@ -1474,7 +1474,7 @@
14	message = (
15	'There are no branches registered for %s '
16	'in Launchpad today. We recommend you visit '
17	- '<a href="http://www.bazaar-vcs.org">www.bazaar-vcs.org</a> '
18	+ 'www.bazaar-vcs.org '
19	'for more information about how you can use the Bazaar '
20	'revision control system to improve community participation '
21	'in this project group.')