kallithea Files · .travis.yml

Files @ 04e44ea05c5f

Branch filter:

Location: kallithea/.travis.yml - annotation

04e44ea05c5f 834 B application/yaml Show Source Show as Raw Download as Raw

Thomas De Schampheleire

compare: prevent XSS due to unescaped branch/tag/bookmark names

In the revision selection dropdown of the 'Compare' functionality, the
branch/tag/bookmark names were not correctly escaped.

This means that if an attacker is able to push a branch/tag/bookmark
containing HTML/JavaScript in its name, then that code would be evaluated.
This is a cross-site scripting (XSS) vulnerability.

Fix the problem by correctly escaping the branch/tag/bookmarks.

6ccf86ebfd4e
6ccf86ebfd4e
6ccf86ebfd4e
6ccf86ebfd4e
6ccf86ebfd4e
6ccf86ebfd4e
703d3208424c
703d3208424c
703d3208424c
6ccf86ebfd4e
925c77b9d3f1
925c77b9d3f1
925c77b9d3f1
925c77b9d3f1
6ccf86ebfd4e
6ccf86ebfd4e
703d3208424c
703d3208424c
63d3d20cad95
63d3d20cad95
63d3d20cad95
64ee7cf4a76d
63d3d20cad95
63d3d20cad95
63d3d20cad95
6ccf86ebfd4e
6ccf86ebfd4e
6ccf86ebfd4e
6ccf86ebfd4e
63d3d20cad95
6ccf86ebfd4e
6ccf86ebfd4e
6ccf86ebfd4e
6ccf86ebfd4e
6ccf86ebfd4e
13c0ab8eb343
08af8038e1cc
6ccf86ebfd4e
6ccf86ebfd4e
6ccf86ebfd4e
69377d1d7604

language: python
python:
  - "2.6"
  - "2.7"

env:  
  - TEST_DB=sqlite:////tmp/kallithea_test.sqlite
  - TEST_DB=mysql://root@127.0.0.1/kallithea_test
  - TEST_DB=postgresql://postgres@127.0.0.1/kallithea_test

services:
  - mysql
  - postgresql

# command to install dependencies
before_script:
  - mysql -e 'create database kallithea_test;'
  - psql -c 'create database kallithea_test;' -U postgres
  - git --version

before_install:
  - sudo apt-get remove git
  - sudo add-apt-repository ppa:pdoes/ppa -y
  - sudo apt-get update -y
  - sudo apt-get install git -y

install:
  - pip install mysql-python psycopg2 mock unittest2
  - pip install . --use-mirrors

# command to run tests
script: nosetests

notifications:
    email:
        - ci@kallithea-scm.org
    irc: "irc.freenode.org#kallithea"

branches:
  only:
    - master