incubator-allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From john...@apache.org
Subject git commit: [#5596] Fixed missed unsafe interpolation
Date Wed, 16 Jan 2013 19:36:48 GMT
Updated Branches:
  refs/heads/cj/5596 9c6a92cd3 -> a372f282d (forced update)


[#5596] Fixed missed unsafe interpolation

Signed-off-by: Cory Johns <johnsca@geek.net>


Project: http://git-wip-us.apache.org/repos/asf/incubator-allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-allura/commit/a372f282
Tree: http://git-wip-us.apache.org/repos/asf/incubator-allura/tree/a372f282
Diff: http://git-wip-us.apache.org/repos/asf/incubator-allura/diff/a372f282

Branch: refs/heads/cj/5596
Commit: a372f282db5fa2f8aa3ef81ccdbf561e5ccc0595
Parents: 36074c0
Author: Cory Johns <johnsca@geek.net>
Authored: Wed Jan 16 19:31:59 2013 +0000
Committer: Cory Johns <johnsca@geek.net>
Committed: Wed Jan 16 19:36:27 2013 +0000

----------------------------------------------------------------------
 Allura/allura/model/discuss.py               |    7 -------
 Allura/allura/tests/model/test_discussion.py |    1 -
 2 files changed, 0 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/a372f282/Allura/allura/model/discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/model/discuss.py b/Allura/allura/model/discuss.py
index 41c44ce..7c263cd 100644
--- a/Allura/allura/model/discuss.py
+++ b/Allura/allura/model/discuss.py
@@ -502,13 +502,6 @@ class Post(Message, VersionedArtifact, ActivityObject):
     def primary(self):
         return self.thread.primary()
 
-    def summary(self):
-        # XXX XSS security hole here: display_name can be manipulated to
-        # contain unescaped HTML, opening a potential XSS attack
-        return '<a href="%s">%s</a> %s' % (
-            self.author().url(), self.author().get_pref('display_name'),
-            h.ago(self.timestamp))
-
     def url(self):
         if self.thread:
             return self.thread.url() + h.urlquote(self.slug) + '/'

http://git-wip-us.apache.org/repos/asf/incubator-allura/blob/a372f282/Allura/allura/tests/model/test_discussion.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/model/test_discussion.py b/Allura/allura/tests/model/test_discussion.py
index 298c554..a31f043 100644
--- a/Allura/allura/tests/model/test_discussion.py
+++ b/Allura/allura/tests/model/test_discussion.py
@@ -131,7 +131,6 @@ def test_post_methods():
     assert p.parent is None
     assert p.subject == 'Test Thread'
     assert p.attachments.count() == 0
-    assert 'Test Admin' in p.summary()
     assert 'wiki/_discuss' in p.url()
     assert p.reply_subject() == 'Re: Test Thread'
     assert p.link_text() == p.subject


Mime
View raw message