Context Navigation

Modify ↓

#11999 closed defect (fixed)

Several messages should be escaped in ticketlog.js

Reported by:	Jun Omae	Owned by:	Jun Omae
Priority:	normal	Component:	TracTicketChangelogPlugin
Severity:	normal	Keywords:
Cc:		Trac Release:	0.12

Description (last modified by Jun Omae)

I found XSS vulnerabilities in ticketlog.js.

result.msg_query_err in tracticketchangelogplugin/0.12/ticketlog/htdocs/ticketlog.js@14183:8#L5
result.msg_tkt_rev_head in tracticketchangelogplugin/0.12/ticketlog/htdocs/ticketlog.js@14183:25#L21
revision.author ~~and revision.message~~ in tracticketchangelogplugin/0.12/ticketlog/htdocs/ticketlog.js@14183:43,44#L39

I'll post patch for that.

Attachments (1)

t11999.diff (3.6 KB) - added by Jun Omae 10 years ago.

Download all attachments as: .zip

Change History (10)

comment:1 Changed 10 years ago by Ryan J Ollos

Thanks. Please feel free to push changes for this plugin at any time. I made a few attempts to get in touch with richard through tickets some time ago, and then pushed ahead with making changes when there was no reply.

Changed 10 years ago by Jun Omae

Attachment:	t11999.diff added

comment:2 Changed 10 years ago by Jun Omae

Owner:	changed from Richard Liao to Jun Omae
Status:	new → accepted

I just created patch, t11999.diff . I'll commit it later.

Also, I think we should use display_rev() rather than normalize_rev() because raw revision (40 bytes) will be displayed if git and mercurial.

tracticketchangelogplugin/1.0/ticketlog/web_ui.py

                 continue
             repos = RepositoryManager(self.env).get_repository(repos_name)
             rev = repos.normalize_rev(rev)
+            rev = repos.display_rev(rev)
             link = str(rev)
             if repos_name:
                 link += '/%s' % repos_name

comment:3 Changed 10 years ago by Ryan J Ollos

Both patches look good. Should revision.message be escaped on line 52 of the patch?

comment:4 Changed 10 years ago by Jun Omae

Description:	modified (diff)

I misunderstood about that. revision.message shouldn't be escaped. Output of format_to_oneliner() is stored on it at tracticketchangelogplugin/0.12/ticketlog/web_ui.py@14192:204#L190 .

comment:5 Changed 10 years ago by Ryan J Ollos

If you have a chance to commit the change, then I'll close out #12143 this weekend and tag a new release. Thanks for your help with the plugin!

comment:6 Changed 10 years ago by Jun Omae

In 14365:

0.2dev: fixed rendering not escaped characters in ticket relative changesets (refs #11999)

comment:7 Changed 10 years ago by Jun Omae

In 14366:

0.2dev: ticketlog shows shortened revision string rather than raw revision string (refs #11999)

comment:8 Changed 10 years ago by Jun Omae

In 14367:

1.0dev: merged [14366] from 0.2dev (refs #11999)

comment:9 Changed 10 years ago by Jun Omae

Resolution:	→ fixed
Status:	accepted → closed

I'd forgotten about this. I pushed the patch and proposed changes in comment:2.

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain Jun Omae.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: