Changeset - cd8fa11c5c89
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Mads Kiilerich (mads) - 5 years ago 2020-11-10 11:30:16
mads@kiilerich.com
repogroups: fix HTML markup of descriptions

Repogroup descriptions were not urlified like repo descriptions are. That
caused incorrect rendering with posibility of XSS.

The problem was introduced in 0.4.0 with 6db3122e4d75.

Thanks to stypr of Flatt Security for reporting this vulnerability.
1 file changed with 1 insertions and 1 deletions:
kallithea/model/repo.py
1
1
0 comments (0 inline, 0 general)
kallithea/model/repo.py
Show inline comments
 
@@ -168,13 +168,13 @@ class RepoModel(object):
 

			




	
	
	
		
 
        for gr in repo_groups_list or []:

			




	
	
	
		
 
            repos_data.append(dict(

			




	
	
	
		
 
                raw_name='\0' + gr.name, # sort before repositories

			




	
	
	
		
 
                just_name=gr.name,

			




	
	
	
		
 
                name=_render('group_name_html', group_name=gr.group_name, name=gr.name),

			




	
	
	
		
 
                desc=gr.group_description))

			




	
	
	
		
 
                desc=desc(gr.group_description)))

			




	
	
	
		
 

			




	
	
	
		
 
        for repo in repos_list:

			




	
	
	
		
 
            if not HasRepoPermissionLevel('read')(repo.repo_name, 'get_repos_as_dict check'):

			




	
	
	
		
 
                continue

			




	
	
	
		
 
            cs_cache = repo.changeset_cache

			




	
	
	
		
 
            row = {

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        Server instance: clio-32191
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.
            – Support