Nemcio/Gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2025-12-20 07:09:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Security: fix XSS attack on milestone

Browse Source 
Reported by Miguel Ángel Jimeno.
This commit is contained in:
Unknwon
2017-02-17 08:06:48 -05:00
parent d521e716dd
commit 5155f026b4
6 changed files with 17 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
gogs.go
View File

@@ -16,7 +16,7 @@ import (
"github.com/gogits/gogs/modules/setting" "github.com/gogits/gogs/modules/setting"
) )
const APP_VER = "0.9.152.0216" const APP_VER = "0.9.153.0217"
func init() { func init() {
setting.AppVer = APP_VER setting.AppVer = APP_VER

8
routers/repo/http.go
View File

@@ -95,7 +95,7 @@ func HTTPContexter() macaron.Handler {
authUser, err := models.UserSignIn(authUsername, authPassword) authUser, err := models.UserSignIn(authUsername, authPassword)
if err != nil && !models.IsErrUserNotExist(err) { if err != nil && !models.IsErrUserNotExist(err) {
ctx.Handle(http.StatusInternalServerError, "UserSignIn: %v", err) ctx.Handle(http.StatusInternalServerError, "UserSignIn", err)
return return
} }
@@ -103,7 +103,11 @@ func HTTPContexter() macaron.Handler {
if authUser == nil { if authUser == nil {
token, err := models.GetAccessTokenBySHA(authUsername) token, err := models.GetAccessTokenBySHA(authUsername)
if err != nil { if err != nil {
ctx.NotFoundOrServerError("GetAccessTokenBySHA", models.IsErrAccessTokenNotExist, err) if models.IsErrAccessTokenEmpty(err) || models.IsErrAccessTokenNotExist(err) {
ctx.Error(http.StatusUnauthorized)
} else {
ctx.Handle(http.StatusInternalServerError, "GetAccessTokenBySHA", err)
}
return return
} }
token.Updated = time.Now() token.Updated = time.Now()

2
templates/.VERSION
View File

@@ -1 +1 @@
0.9.152.0216 0.9.153.0217

8
templates/repo/issue/list.tmpl
View File

@@ -33,7 +33,7 @@
<div class="menu"> <div class="menu">
<a class="item" href="{{$.Link}}?type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&milestone={{$.MilestoneID}}&assignee={{$.AssigneeID}}">{{.i18n.Tr "repo.issues.filter_label_no_select"}}</a> <a class="item" href="{{$.Link}}?type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&milestone={{$.MilestoneID}}&assignee={{$.AssigneeID}}">{{.i18n.Tr "repo.issues.filter_label_no_select"}}</a>
{{range .Labels}} {{range .Labels}}
<a class="item" href="{{$.Link}}?type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&labels={{.ID}}&milestone={{$.MilestoneID}}&assignee={{$.AssigneeID}}"><span class="octicon {{if eq $.SelectLabels .ID}}octicon-check{{end}}"></span><span class="label color" style="background-color: {{.Color}}"></span> {{.Name}}</a> <a class="item" href="{{$.Link}}?type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&labels={{.ID}}&milestone={{$.MilestoneID}}&assignee={{$.AssigneeID}}"><span class="octicon {{if eq $.SelectLabels .ID}}octicon-check{{end}}"></span><span class="label color" style="background-color: {{.Color}}"></span> {{.Name | Sanitize}}</a>
{{end}} {{end}}
</div> </div>
</div> </div>
@@ -47,7 +47,7 @@
<div class="menu"> <div class="menu">
<a class="item" href="{{$.Link}}?type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&assignee={{$.AssigneeID}}">{{.i18n.Tr "repo.issues.filter_milestone_no_select"}}</a> <a class="item" href="{{$.Link}}?type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&labels={{.SelectLabels}}&assignee={{$.AssigneeID}}">{{.i18n.Tr "repo.issues.filter_milestone_no_select"}}</a>
{{range .Milestones}} {{range .Milestones}}
<a class="{{if eq $.MilestoneID .ID}}active selected{{end}} item" href="{{$.Link}}?type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&labels={{$.SelectLabels}}&milestone={{.ID}}&assignee={{$.AssigneeID}}">{{.Name}}</a> <a class="{{if eq $.MilestoneID .ID}}active selected{{end}} item" href="{{$.Link}}?type={{$.ViewType}}&sort={{$.SortType}}&state={{$.State}}&labels={{$.SelectLabels}}&milestone={{.ID}}&assignee={{$.AssigneeID}}">{{.Name | Sanitize}}</a>
{{end}} {{end}}
</div> </div>
</div> </div>
@@ -105,7 +105,7 @@
<a class="title has-emoji" href="{{$.Link}}/{{.Index}}">{{.Title}}</a> <a class="title has-emoji" href="{{$.Link}}/{{.Index}}">{{.Title}}</a>
{{range .Labels}} {{range .Labels}}
<a class="ui label" href="{{$.Link}}?type={{$.ViewType}}&state={{$.State}}&labels={{.ID}}&milestone={{$.MilestoneID}}&assignee={{$.AssigneeID}}" style="color: {{.ForegroundColor}}; background-color: {{.Color}}">{{.Name}}</a> <a class="ui label" href="{{$.Link}}?type={{$.ViewType}}&state={{$.State}}&labels={{.ID}}&milestone={{$.MilestoneID}}&assignee={{$.AssigneeID}}" style="color: {{.ForegroundColor}}; background-color: {{.Color}}">{{.Name | Sanitize}}</a>
{{end}} {{end}}
{{if .NumComments}} {{if .NumComments}}
@@ -116,7 +116,7 @@
{{$.i18n.Tr "repo.issues.opened_by" $timeStr .Poster.HomeLink .Poster.Name | Safe}} {{$.i18n.Tr "repo.issues.opened_by" $timeStr .Poster.HomeLink .Poster.Name | Safe}}
{{if .Milestone}} {{if .Milestone}}
<a class="milestone" href="{{$.Link}}?type={{$.ViewType}}&state={{$.State}}&labels={{$.SelectLabels}}&milestone={{.Milestone.ID}}&assignee={{$.AssigneeID}}"> <a class="milestone" href="{{$.Link}}?type={{$.ViewType}}&state={{$.State}}&labels={{$.SelectLabels}}&milestone={{.Milestone.ID}}&assignee={{$.AssigneeID}}">
<span class="octicon octicon-milestone"></span> {{.Milestone.Name}} <span class="octicon octicon-milestone"></span> {{.Milestone.Name | Sanitize}}
</a> </a>
{{end}} {{end}}
{{if .Assignee}} {{if .Assignee}}

2
templates/repo/issue/milestones.tmpl
View File

@@ -26,7 +26,7 @@
<div class="milestone list"> <div class="milestone list">
{{range .Milestones}} {{range .Milestones}}
<li class="item"> <li class="item">
<i class="octicon octicon-milestone"></i> <a href="{{$.RepoLink}}/issues?state={{$.State}}&milestone={{.ID}}">{{.Name}}</a> <i class="octicon octicon-milestone"></i> <a href="{{$.RepoLink}}/issues?state={{$.State}}&milestone={{.ID}}">{{.Name | Sanitize}}</a>
<div class="ui right green progress" data-percent="{{.Completeness}}"> <div class="ui right green progress" data-percent="{{.Completeness}}">
<div class="bar" {{if not .Completeness}}style="background-color: transparent"{{end}}> <div class="bar" {{if not .Completeness}}style="background-color: transparent"{{end}}>
<div class="progress"></div> <div class="progress"></div>

8
templates/repo/issue/view_content.tmpl
View File

@@ -272,7 +272,7 @@
<span class="no-select item {{if .HasSelectedLabel}}hide{{end}}">{{.i18n.Tr "repo.issues.new.no_label"}}</span> <span class="no-select item {{if .HasSelectedLabel}}hide{{end}}">{{.i18n.Tr "repo.issues.new.no_label"}}</span>
{{range .Labels}} {{range .Labels}}
<div class="item"> <div class="item">
<a class="ui label {{if not .IsChecked}}hide{{end}}" id="label_{{.ID}}" href="{{$.RepoLink}}/issues?labels={{.ID}}" style="color: {{.ForegroundColor}}; background-color: {{.Color}}">{{.Name}}</a> <a class="ui label {{if not .IsChecked}}hide{{end}}" id="label_{{.ID}}" href="{{$.RepoLink}}/issues?labels={{.ID}}" style="color: {{.ForegroundColor}}; background-color: {{.Color}}">{{.Name | Sanitize}}</a>
</div> </div>
{{end}} {{end}}
@@ -294,7 +294,7 @@
{{.i18n.Tr "repo.issues.new.open_milestone"}} {{.i18n.Tr "repo.issues.new.open_milestone"}}
</div> </div>
{{range .OpenMilestones}} {{range .OpenMilestones}}
<div class="item" data-id="{{.ID}}" data-href="{{$.RepoLink}}/issues?milestone={{.ID}}"> {{.Name}}</div> <div class="item" data-id="{{.ID}}" data-href="{{$.RepoLink}}/issues?milestone={{.ID}}"> {{.Name | Sanitize}}</div>
{{end}} {{end}}
{{end}} {{end}}
{{if .ClosedMilestones}} {{if .ClosedMilestones}}
@@ -304,7 +304,7 @@
{{.i18n.Tr "repo.issues.new.closed_milestone"}} {{.i18n.Tr "repo.issues.new.closed_milestone"}}
</div> </div>
{{range .ClosedMilestones}} {{range .ClosedMilestones}}
<a class="item" data-id="{{.ID}}" data-href="{{$.RepoLink}}/issues?milestone={{.ID}}"> {{.Name}}</a> <a class="item" data-id="{{.ID}}" data-href="{{$.RepoLink}}/issues?milestone={{.ID}}"> {{.Name | Sanitize}}</a>
{{end}} {{end}}
{{end}} {{end}}
</div> </div>
@@ -313,7 +313,7 @@
<span class="no-select item {{if .Issue.Milestone}}hide{{end}}">{{.i18n.Tr "repo.issues.new.no_milestone"}}</span> <span class="no-select item {{if .Issue.Milestone}}hide{{end}}">{{.i18n.Tr "repo.issues.new.no_milestone"}}</span>
<div class="selected"> <div class="selected">
{{if .Issue.Milestone}} {{if .Issue.Milestone}}
<a class="item" href="{{.RepoLink}}/issues?milestone={{.Issue.Milestone.ID}}"> {{.Issue.Milestone.Name}}</a> <a class="item" href="{{.RepoLink}}/issues?milestone={{.Issue.Milestone.ID}}"> {{.Issue.Milestone.Name | Sanitize}}</a>
{{end}} {{end}}
</div> </div>
</div> </div>