Skip to content

Commit 151ffd3

Browse files
author
Richard Jones
committed
security fixes
1 parent 87bd766 commit 151ffd3

File tree

11 files changed

+41
-34
lines changed

11 files changed

+41
-34
lines changed

CHANGES.txt

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,11 @@
11
This file contains the changes to the Roundup system over time. The entries
22
are given with the most recent entry first.
33

4+
2008-03-01 1.4.4
5+
Fixed:
6+
- Security fixes (thanks Roland Meister)
7+
8+
49
2008-02-27 1.4.3
510
Fixed:
611
- MySQL backend bug introduced in 1.4.2 (TEXT columns need a size when

doc/announcement.txt

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,7 @@
1-
I'm proud to release version 1.4.3 of Roundup.
1+
I'm proud to release version 1.4.4 of Roundup.
22

3-
Just one bug was fixed in 1.4.3:
4-
5-
- MySQL backend bug introduced in 1.4.2
3+
1.4.4 is a security fix release. All installations of Roundup are strongly
4+
encouraged to update.
65

76
If you're upgrading from an older version of Roundup you *must* follow
87
the "Software Upgrade" guidelines given in the maintenance documentation.

doc/index.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,7 @@ Will Maier,
130130
Georges Martin,
131131
Gordon McMillan,
132132
John F Meinel Jr,
133+
Roland Meister,
133134
Ulrik Mikaelsson,
134135
John Mitchell,
135136
Ramiro Morales,

roundup/__init__.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
# BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE,
1616
# SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
1717
#
18-
# $Id: __init__.py,v 1.50 2008-02-27 08:32:50 richard Exp $
18+
# $Id: __init__.py,v 1.51 2008-03-01 08:18:06 richard Exp $
1919

2020
'''Roundup - issue tracking for knowledge workers.
2121
@@ -68,6 +68,6 @@
6868
'''
6969
__docformat__ = 'restructuredtext'
7070

71-
__version__ = '1.4.3'
71+
__version__ = '1.4.4'
7272

7373
# vim: set filetype=python ts=4 sw=4 et si

roundup/cgi/templating.py

Lines changed: 21 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -878,7 +878,7 @@ def history(self, direction='descending', dre=re.compile('^\d+$')):
878878
prop = self[prop_n]
879879
if not isinstance(prop, HTMLProperty):
880880
continue
881-
current[prop_n] = prop.plain()
881+
current[prop_n] = prop.plain(escape=1)
882882
# make link if hrefable
883883
if (self._props.has_key(prop_n) and
884884
isinstance(self._props[prop_n], hyperdb.Link)):
@@ -979,6 +979,7 @@ def history(self, direction='descending', dre=re.compile('^\d+$')):
979979
if labelprop is not None and \
980980
labelprop != 'id':
981981
label = linkcl.get(linkid, labelprop)
982+
label = cgi.escape(label)
982983
except IndexError:
983984
comments['no_link'] = self._(
984985
"<strike>The linked node"
@@ -1002,7 +1003,8 @@ def history(self, direction='descending', dre=re.compile('^\d+$')):
10021003
# there's no labelprop!
10031004
if labelprop is not None and labelprop != 'id':
10041005
try:
1005-
label = linkcl.get(args[k], labelprop)
1006+
label = cgi.escape(linkcl.get(args[k],
1007+
labelprop))
10061008
except IndexError:
10071009
comments['no_link'] = self._(
10081010
"<strike>The linked node"
@@ -1012,7 +1014,8 @@ def history(self, direction='descending', dre=re.compile('^\d+$')):
10121014
label = None
10131015
if label is not None:
10141016
if hrefable:
1015-
old = '<a href="%s%s">%s</a>'%(classname, args[k], label)
1017+
old = '<a href="%s%s">%s</a>'%(classname,
1018+
args[k], label)
10161019
else:
10171020
old = label;
10181021
cell.append('%s: %s' % (self._(k), old))
@@ -1369,7 +1372,7 @@ def field(self, **kwargs):
13691372
If not editable, just display the value via plain().
13701373
"""
13711374
if not self.is_edit_ok():
1372-
return self.plain()
1375+
return self.plain(escape=1)
13731376

13741377
value = self._value
13751378
if value is None:
@@ -1423,7 +1426,7 @@ def email(self, escape=1):
14231426
return value
14241427

14251428
class PasswordHTMLProperty(HTMLProperty):
1426-
def plain(self):
1429+
def plain(self, escape=0):
14271430
""" Render a "plain" representation of the property
14281431
"""
14291432
if not self.is_view_ok():
@@ -1439,7 +1442,7 @@ def field(self, size=30):
14391442
If not editable, just display the value via plain().
14401443
"""
14411444
if not self.is_edit_ok():
1442-
return self.plain()
1445+
return self.plain(escape=1)
14431446

14441447
return self.input(type="password", name=self._formname, size=size)
14451448

@@ -1459,7 +1462,7 @@ def confirm(self, size=30):
14591462
size=size)
14601463

14611464
class NumberHTMLProperty(HTMLProperty):
1462-
def plain(self):
1465+
def plain(self, escape=0):
14631466
""" Render a "plain" representation of the property
14641467
"""
14651468
if not self.is_view_ok():
@@ -1476,7 +1479,7 @@ def field(self, size=30):
14761479
If not editable, just display the value via plain().
14771480
"""
14781481
if not self.is_edit_ok():
1479-
return self.plain()
1482+
return self.plain(escape=1)
14801483

14811484
value = self._value
14821485
if value is None:
@@ -1496,7 +1499,7 @@ def __float__(self):
14961499

14971500

14981501
class BooleanHTMLProperty(HTMLProperty):
1499-
def plain(self):
1502+
def plain(self, escape=0):
15001503
""" Render a "plain" representation of the property
15011504
"""
15021505
if not self.is_view_ok():
@@ -1512,7 +1515,7 @@ def field(self):
15121515
If not editable, just display the value via plain().
15131516
"""
15141517
if not self.is_edit_ok():
1515-
return self.plain()
1518+
return self.plain(escape=1)
15161519

15171520
value = self._value
15181521
if isinstance(value, str) or isinstance(value, unicode):
@@ -1549,7 +1552,7 @@ def __init__(self, client, classname, nodeid, prop, name, value,
15491552
if self._offset is None :
15501553
self._offset = self._prop.offset (self._db)
15511554

1552-
def plain(self):
1555+
def plain(self, escape=0):
15531556
""" Render a "plain" representation of the property
15541557
"""
15551558
if not self.is_view_ok():
@@ -1600,7 +1603,7 @@ def field(self, size=30, default=None, format=_marker, popcal=True):
16001603
"""
16011604
if not self.is_edit_ok():
16021605
if format is self._marker:
1603-
return self.plain()
1606+
return self.plain(escape=1)
16041607
else:
16051608
return self.pretty(format)
16061609

@@ -1720,7 +1723,7 @@ def __init__(self, client, classname, nodeid, prop, name, value,
17201723
if self._value and not isinstance(self._value, (str, unicode)):
17211724
self._value.setTranslator(self._client.translator)
17221725

1723-
def plain(self):
1726+
def plain(self, escape=0):
17241727
""" Render a "plain" representation of the property
17251728
"""
17261729
if not self.is_view_ok():
@@ -1744,7 +1747,7 @@ def field(self, size=30):
17441747
If not editable, just display the value via plain().
17451748
"""
17461749
if not self.is_edit_ok():
1747-
return self.plain()
1750+
return self.plain(escape=1)
17481751

17491752
value = self._value
17501753
if value is None:
@@ -1806,7 +1809,7 @@ def field(self, showid=0, size=None):
18061809
If not editable, just display the value via plain().
18071810
"""
18081811
if not self.is_edit_ok():
1809-
return self.plain()
1812+
return self.plain(escape=1)
18101813

18111814
# edit field
18121815
linkcl = self._db.getclass(self._prop.classname)
@@ -1842,7 +1845,7 @@ def menu(self, size=None, height=None, showid=0, additional=[], value=None,
18421845
If not editable, just display the value via plain().
18431846
"""
18441847
if not self.is_edit_ok():
1845-
return self.plain()
1848+
return self.plain(escape=1)
18461849

18471850
if value is None:
18481851
value = self._value
@@ -1999,7 +2002,7 @@ def field(self, size=30, showid=0):
19992002
If not editable, just display the value via plain().
20002003
"""
20012004
if not self.is_edit_ok():
2002-
return self.plain()
2005+
return self.plain(escape=1)
20032006

20042007
linkcl = self._db.getclass(self._prop.classname)
20052008
value = self._value[:]
@@ -2034,7 +2037,7 @@ def menu(self, size=None, height=None, showid=0, additional=[],
20342037
If not editable, just display the value via plain().
20352038
"""
20362039
if not self.is_edit_ok():
2037-
return self.plain()
2040+
return self.plain(escape=1)
20382041

20392042
if value is None:
20402043
value = self._value

setup.py

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616
# BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE,
1717
# SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
1818
#
19-
# $Id: setup.py,v 1.101 2008-02-27 20:57:56 richard Exp $
19+
# $Id: setup.py,v 1.102 2008-03-01 08:18:06 richard Exp $
2020

2121
from distutils.core import setup, Extension
2222
from distutils.util import get_platform
@@ -352,9 +352,8 @@ def main():
352352
'''In this release
353353
===============
354354
355-
Just one bug was fixed in 1.4.3:
356-
357-
- MySQL backend bug introduced in 1.4.2
355+
1.4.4 is a security fix release. All installations of Roundup are strongly
356+
encouraged to update.
358357
359358
If you're upgrading from an older version of Roundup you *must* follow
360359
the "Software Upgrade" guidelines given in the maintenance documentation.

templates/classic/html/_generic.help-list.html

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<!-- $Id: _generic.help-list.html,v 1.1 2006-09-18 00:03:02 tobias-herp Exp $ vim: sw=2 ts=8 et
1+
<!-- $Id: _generic.help-list.html,v 1.2 2008-03-01 08:18:07 richard Exp $ vim: sw=2 ts=8 et
22
--><html tal:define="vok context/is_view_ok">
33
<head>
44
<title>Search result for user helper</title>
@@ -64,7 +64,7 @@
6464
<td tal:repeat="prop props">
6565
<label class="classhelp-label"
6666
tal:attributes="for string:id_$attr"
67-
tal:content="structure python:item[prop]"></label>
67+
tal:content="python:item[prop]"></label>
6868
</td>
6969
</tal:block>
7070
</tr>

templates/classic/html/_generic.help.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@
8383
<td tal:repeat="prop props">
8484
<label class="classhelp-label"
8585
tal:attributes="for string:id_$attr"
86-
tal:content="structure python:item[prop]"></label>
86+
tal:content="python:item[prop]"></label>
8787
</td>
8888
</tal:block>
8989
</tr>

templates/classic/html/page.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -144,7 +144,7 @@ <h2><span metal:define-slot="body_title">body title</span></h2>
144144

145145
<p class="userblock" tal:condition="python:request.user.username != 'anonymous'">
146146
<b i18n:translate="">Hello, <span i18n:name="user"
147-
tal:replace="request/user/username">username</span></b><br>
147+
tal:replace="python:request.user.username.plain(escape=1)">username</span></b><br>
148148
<a href="#"
149149
tal:attributes="href python:request.indexargs_url('issue', {
150150
'@sort': '-activity',

templates/minimal/html/_generic.help.html

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@
8383
<td tal:repeat="prop props">
8484
<label class="classhelp-label"
8585
tal:attributes="for string:id_$attr"
86-
tal:content="structure python:item[prop]"></label>
86+
tal:content="python:item[prop]"></label>
8787
</td>
8888
</tal:block>
8989
</tr>

0 commit comments

Comments
 (0)