Files @ 38d1c99cd000
Branch filter:

Location: kallithea/.hgignore - annotation

38d1c99cd000 341 B text/plain Show Source Show as Raw Download as Raw
Søren Løvborg
login: enhance came_from validation

Drop urlparse and just validate that came_from is a RFC 3986 compliant path.

This blocks an HTTP header injection vulnerability discovered by
Gjoko Krstic <gjoko@zeroscience.mk> of Zero Science Lab (CVE-2015-5285)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
a555d8345105
a555d8345105
a555d8345105
3dd89d30cd28
b5c57e2176dc
a28bd9cb6549
a28bd9cb6549
7d6c4bd58abd
9885bbacf99c
9885bbacf99c
564e40829f80
564e40829f80
95f1ed68cac1
a555d8345105
9496c047ea4d
a555d8345105
a555d8345105
058f63b6c2ff
19267f233d39
b619d9eef67a
058f63b6c2ff
058f63b6c2ff
596eb21f61d5
27c8836e6356
277684f23146
92cacbcb5272
24c0d584ba86
03bbd33bc084
324ac367a4da
bd39c1f70e35
bfa66e8887d7

syntax: glob
*.pyc
*.swp
*.sqlite
*.tox
*.egg-info
*.egg
*.mo
.eggs/
tarballcache/

syntax: regexp
^rcextensions
^build
^dist/
^docs/build/
^docs/_build/
^data$
^kallithea/tests/data$
^sql_dumps/
^\.settings$
^\.project$
^\.pydevproject$
^\.coverage$
^kallithea\.db$
^test\.db$
^Kallithea\.egg-info$
^my\.ini$
^fabfile.py
^\.idea$
^\.cache$
Server instance: clio-27434 This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3. – Support