Files @ c7728c5736fd
Branch filter:

Location: kallithea/init.d/supervisord.conf - annotation

c7728c5736fd 2.6 KiB text/plain Show Source Show as Raw Download as Raw
Thomas De Schampheleire
templates: narrow down scope of webhelpers.html.literal for HTML injection

When using webhelpers.html.literal to inject some explicit HTML code with
some variable data, there are two approaches:
h.literal('some <html> code with %s data' % foobar)
or
h.literal('some <html> code with %s data') % foobar

In the first case, the literal also applies to the contents of variable
'foobar' which may be influenceable by users and thus potentially malicious.
In the second case, this term will be escaped by webhelpers.

See also the documentation:
https://docs.pylonsproject.org/projects/webhelpers/en/latest/modules/html/builder.html#webhelpers.html.builder.literal
"Also, if you add another string to this string, the other string will
be quoted and you will get back another literal object. Also
literal(...) % obj will quote any value(s) from obj."

In files_browser.html, the correction of this scope of literal() also means
that explicit escaping of node.name can be removed. The escaping is now done
automatically by webhelpers as mentioned above.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
24c0d584ba86
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
99ad9d0af1a3
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
99ad9d0af1a3
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
99ad9d0af1a3
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
03bbd33bc084
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
e4eabd2558b6
99ad9d0af1a3
99ad9d0af1a3
e4eabd2558b6
e4eabd2558b6
03bbd33bc084
2c3d30095d5e
e4eabd2558b6
e285bb7abb28
e285bb7abb28

; Kallithea Supervisord
; ##########################
; for help see http://supervisord.org/configuration.html
; ##########################

[inet_http_server]         ; inet (TCP) server disabled by default
port=127.0.0.1:9001        ; (ip_address:port specifier, *:port for all iface)
;username=user              ; (default is no username (open server))
;password=123               ; (default is no password (open server))

[supervisord]
logfile=/%(here)s/supervisord_kallithea.log ; (main log file;default $CWD/supervisord.log)
logfile_maxbytes=50MB        ; (max main logfile bytes b4 rotation;default 50MB)
logfile_backups=10           ; (num of main logfile rotation backups;default 10)
loglevel=info                ; (log level;default info; others: debug,warn,trace)
pidfile=/%(here)s/supervisord_kallithea.pid ; (supervisord pidfile;default supervisord.pid)
nodaemon=true               ; (start in foreground if true;default false)
minfds=1024                  ; (min. avail startup file descriptors;default 1024)
minprocs=200                 ; (min. avail process descriptors;default 200)
umask=022                    ; (process file creation umask;default 022)
user=username                  ; (default is current user, required if root)
;identifier=supervisor       ; (supervisord identifier, default is 'supervisor')
;directory=/tmp              ; (default is not to cd during start)
;nocleanup=true              ; (don't clean up tempfiles at start;default false)
;childlogdir=/tmp            ; ('AUTO' child log dir, default $TEMP)
environment=HOME=/srv/kallithea       ; (key value pairs to add to environment)
;strip_ansi=false            ; (strip ansi escape codes in logs; def. false)

; the below section must remain in the config file for RPC
; (supervisorctl/web interface) to work, additional interfaces may be
; added by defining them in separate rpcinterface: sections
[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[supervisorctl]
serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket
;username=user               ; should be same as http_username if set
;password=123                ; should be same as http_password if set
;prompt=mysupervisor         ; cmd line prompt (default "supervisor")
;history_file=~/.sc_history  ; use readline history if available


; restart with supervisorctl restart kallithea:*
[program:kallithea]
numprocs = 1
numprocs_start = 5000 # possible should match ports
directory=/srv/kallithea
command = /srv/kallithea/venv/bin/gearbox serve -c my.ini
process_name = %(program_name)s_%(process_num)04d
redirect_stderr=true
stdout_logfile=/%(here)s/kallithea.log
Server instance: clio-24972 This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3. – Support