work-items-tracker

Merge lp://qastaging/~kees/launchpad-work-items-tracker/fix-escaping into lp://qastaging/launchpad-work-items-tracker

  1. fix-escaping
  2. Merge into trunk
Proposed by Kees Cook
Status: Merged
Merged at revision: not available
Proposed branch: lp://qastaging/~kees/launchpad-work-items-tracker/fix-escaping
Merge into: lp://qastaging/launchpad-work-items-tracker
Diff against target: 71 lines (+9/-9)
1 file modified
workitems.py (+9/-9)
To merge this branch: bzr merge lp://qastaging/~kees/launchpad-work-items-tracker/fix-escaping
Reviewer Review Type Date Requested Status
Developers of work-items-tracker Pending
Review via email: mp+15625@code.qastaging.launchpad.net
To post a comment you must log in.
Revision history for this message
Kees Cook (kees) wrote :

This should clean up escaping and catch the assignee href XSS

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'workitems.py'
2--- workitems.py 2009-12-03 17:28:57 +0000
3+++ workitems.py 2009-12-03 19:30:22 +0000
4@@ -2,7 +2,7 @@
5
6 import urllib, re, sys, optparse, os.path, datetime
7 import sqlite3 as dbapi2
8-from xml.sax.saxutils import escape
9+from cgi import escape
10
11 from launchpadlib.launchpad import Launchpad, EDGE_SERVICE_ROOT
12
13@@ -431,8 +431,8 @@
14 if bp.startswith('http:') or bp.startswith('https:'):
15 url = bp
16 else:
17- url = '%s/ubuntu/+spec/%s' % (blueprints_base_url, escape(bp))
18- return '<a href="%s">%s</a>' % (url, escape(bp))
19+ url = '%s/ubuntu/+spec/%s' % (blueprints_base_url, escape(bp, True))
20+ return '<a href="%s">%s</a>' % (url, escape(bp, True))
21
22 def html_format_priority(priority):
23 prio_colors = {
24@@ -443,7 +443,7 @@
25 'Essential': 'red'
26 }
27
28- p = escape(priority or '')
29+ p = escape(priority or '', True)
30 col = prio_colors.get(p)
31 if col:
32 return '<span style="color: %s">%s</span>' % (col, p)
33@@ -496,7 +496,7 @@
34 bp_html, data[bp][0], data[bp][2],
35 data[bp][1], percent,
36 html_format_priority(data[bp][-1]),
37- escape(data[bp][-2]))
38+ escape(data[bp][-2], True))
39
40 print '</table>'
41
42@@ -519,9 +519,9 @@
43 completion.sort(key=lambda k: k[0], reverse=False)
44
45 for (a, percent) in completion:
46- url = '%s/~%s/+specs?role=assignee' % (blueprints_base_url, a)
47+ url = '%s/~%s/+specs?role=assignee' % (blueprints_base_url, escape(a, True))
48 print ' <tr><td><a href="%s">%s</a></td> <td>%i/%i/%i</td> <td>%i%%</td></tr>' % (
49- url, escape(a), len(data[a][0]), len(data[a][2]),
50+ url, escape(a, True), len(data[a][0]), len(data[a][2]),
51 len(data[a][1]), percent)
52 print '</table>'
53
54@@ -541,7 +541,7 @@
55 todo_len = len(todo)
56 postponed_len = len(postponed)
57 done_len = len(done)
58- url = '%s/~%s/+specs?role=assignee' % (blueprints_base_url, a)
59+ url = '%s/~%s/+specs?role=assignee' % (blueprints_base_url, escape(a, True))
60 rows = ['<td rowspan="%s">todo</td>' % todo_len,
61 '<td rowspan="%s">postponed</td>' % postponed_len,
62 '<td rowspan="%s">done</td>' % done_len]
63@@ -553,7 +553,7 @@
64 print ' <tr>',
65 if not printed_assignee:
66 print '<td rowspan="%s"><a href="%s">%s</a></td> ' % (
67- todo_len+postponed_len+done_len, url, escape(a)),
68+ todo_len+postponed_len+done_len, url, escape(a, True)),
69 printed_assignee = True
70 if not printed_status:
71 print rows[i]

Subscribers

People subscribed via source and target branches

to all changes: