From 5155f026b4d6a66eb58f4dba371c047fbee932e5 Mon Sep 17 00:00:00 2001 From: Unknwon Date: Fri, 17 Feb 2017 08:06:48 -0500 Subject: Security: fix XSS attack on milestone MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reported by Miguel Ángel Jimeno. --- gogs.go | 2 +- routers/repo/http.go | 8 ++++++-- templates/.VERSION | 2 +- templates/repo/issue/list.tmpl | 8 ++++---- templates/repo/issue/milestones.tmpl | 2 +- templates/repo/issue/view_content.tmpl | 8 ++++---- 6 files changed, 17 insertions(+), 13 deletions(-) diff --git a/gogs.go b/gogs.go index 73fecd55..497d0f6e 100644 --- a/gogs.go +++ b/gogs.go @@ -16,7 +16,7 @@ import ( "github.com/gogits/gogs/modules/setting" ) -const APP_VER = "0.9.152.0216" +const APP_VER = "0.9.153.0217" func init() { setting.AppVer = APP_VER diff --git a/routers/repo/http.go b/routers/repo/http.go index f2f1110b..c3cec9e3 100644 --- a/routers/repo/http.go +++ b/routers/repo/http.go @@ -95,7 +95,7 @@ func HTTPContexter() macaron.Handler { authUser, err := models.UserSignIn(authUsername, authPassword) if err != nil && !models.IsErrUserNotExist(err) { - ctx.Handle(http.StatusInternalServerError, "UserSignIn: %v", err) + ctx.Handle(http.StatusInternalServerError, "UserSignIn", err) return } @@ -103,7 +103,11 @@ func HTTPContexter() macaron.Handler { if authUser == nil { token, err := models.GetAccessTokenBySHA(authUsername) if err != nil { - ctx.NotFoundOrServerError("GetAccessTokenBySHA", models.IsErrAccessTokenNotExist, err) + if models.IsErrAccessTokenEmpty(err) || models.IsErrAccessTokenNotExist(err) { + ctx.Error(http.StatusUnauthorized) + } else { + ctx.Handle(http.StatusInternalServerError, "GetAccessTokenBySHA", err) + } return } token.Updated = time.Now() diff --git a/templates/.VERSION b/templates/.VERSION index 71394c9f..7a4cb9cf 100644 --- a/templates/.VERSION +++ b/templates/.VERSION @@ -1 +1 @@ -0.9.152.0216 \ No newline at end of file +0.9.153.0217 \ No newline at end of file diff --git a/templates/repo/issue/list.tmpl b/templates/repo/issue/list.tmpl index d00c9aea..57dd8f4c 100644 --- a/templates/repo/issue/list.tmpl +++ b/templates/repo/issue/list.tmpl @@ -33,7 +33,7 @@
{{.i18n.Tr "repo.issues.filter_label_no_select"}} {{range .Labels}} - {{.Name}} + {{.Name | Sanitize}} {{end}}
@@ -47,7 +47,7 @@
{{.i18n.Tr "repo.issues.filter_milestone_no_select"}} {{range .Milestones}} - {{.Name}} + {{.Name | Sanitize}} {{end}}
@@ -105,7 +105,7 @@ {{.Title}} {{range .Labels}} - {{.Name}} + {{.Name | Sanitize}} {{end}} {{if .NumComments}} @@ -116,7 +116,7 @@ {{$.i18n.Tr "repo.issues.opened_by" $timeStr .Poster.HomeLink .Poster.Name | Safe}} {{if .Milestone}} - {{.Milestone.Name}} + {{.Milestone.Name | Sanitize}} {{end}} {{if .Assignee}} diff --git a/templates/repo/issue/milestones.tmpl b/templates/repo/issue/milestones.tmpl index 038eaabd..e9055843 100644 --- a/templates/repo/issue/milestones.tmpl +++ b/templates/repo/issue/milestones.tmpl @@ -26,7 +26,7 @@
{{range .Milestones}}
  • - {{.Name}} + {{.Name | Sanitize}}
    diff --git a/templates/repo/issue/view_content.tmpl b/templates/repo/issue/view_content.tmpl index e3ecfe74..3296bc09 100644 --- a/templates/repo/issue/view_content.tmpl +++ b/templates/repo/issue/view_content.tmpl @@ -272,7 +272,7 @@ {{.i18n.Tr "repo.issues.new.no_label"}} {{range .Labels}}
    - {{.Name}} + {{.Name | Sanitize}}
    {{end}} @@ -294,7 +294,7 @@ {{.i18n.Tr "repo.issues.new.open_milestone"}}
    {{range .OpenMilestones}} -
    {{.Name}}
    +
    {{.Name | Sanitize}}
    {{end}} {{end}} {{if .ClosedMilestones}} @@ -304,7 +304,7 @@ {{.i18n.Tr "repo.issues.new.closed_milestone"}}
    {{range .ClosedMilestones}} - {{.Name}} + {{.Name | Sanitize}} {{end}} {{end}}
    • @@ -313,7 +313,7 @@ {{.i18n.Tr "repo.issues.new.no_milestone"}}
    {{if .Issue.Milestone}} - {{.Issue.Milestone.Name}} + {{.Issue.Milestone.Name | Sanitize}} {{end}}
    -- cgit v1.2.3