diff options
author | Alexandru DAMIAN <alexandru.damian@intel.com> | 2014-11-11 17:01:09 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-11-12 17:04:50 +0000 |
commit | c5d19aae55be158676eb0914bd5d0701f7d3fd3a (patch) | |
tree | b549631196198eaa89a922c1088243b25c74ecd9 /bitbake/lib/toaster/toastergui/templatetags | |
parent | 326d5b1a284ca4d29f986d3d6a1cee838b841301 (diff) | |
download | poky-c5d19aae55be158676eb0914bd5d0701f7d3fd3a.tar.gz |
bitbake: toastergui: fix XSS injection points in projects page
We close XSS injection points in Projects page.
* modify the json filter to properly escape HTML tags in strings
* enable $sanitize to automatically sanitize dangerous HTML in
user-supplied input
* clean dangerous characters in targets field, as that field contents
will be directly passed to a shell command
Based on the vulnerability discovered and the patch provided by Michael Wood.
(Bitbake rev: 23c440db9c076ca37e651bdbbdbefee54998e1dc)
Signed-off-by: Alexandru DAMIAN <alexandru.damian@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'bitbake/lib/toaster/toastergui/templatetags')
-rw-r--r-- | bitbake/lib/toaster/toastergui/templatetags/projecttags.py | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/bitbake/lib/toaster/toastergui/templatetags/projecttags.py b/bitbake/lib/toaster/toastergui/templatetags/projecttags.py index 4a97eb7ac4..99fd4cf287 100644 --- a/bitbake/lib/toaster/toastergui/templatetags/projecttags.py +++ b/bitbake/lib/toaster/toastergui/templatetags/projecttags.py | |||
@@ -25,6 +25,7 @@ from django import template | |||
25 | from django.utils import timezone | 25 | from django.utils import timezone |
26 | from django.template.defaultfilters import filesizeformat | 26 | from django.template.defaultfilters import filesizeformat |
27 | import json as JsonLib | 27 | import json as JsonLib |
28 | from django.utils.safestring import mark_safe | ||
28 | 29 | ||
29 | register = template.Library() | 30 | register = template.Library() |
30 | 31 | ||
@@ -49,7 +50,10 @@ def mapselect(value, argument): | |||
49 | 50 | ||
50 | @register.filter(name = "json") | 51 | @register.filter(name = "json") |
51 | def json(value): | 52 | def json(value): |
52 | return JsonLib.dumps(value) | 53 | # JSON spec says that "\/" is functionally identical to "/" to allow for HTML-tag embedding in JSON strings |
54 | # unfortunately, I can't find any option in the json module to turn on forward-slash escaping, so we do | ||
55 | # it manually here | ||
56 | return mark_safe(JsonLib.dumps(value, ensure_ascii=False).replace('</', '<\\/')) | ||
53 | 57 | ||
54 | @register.assignment_tag | 58 | @register.assignment_tag |
55 | def query(qs, **kwargs): | 59 | def query(qs, **kwargs): |