From 31946bda9f77edc3d11ea78a7513a7a3bb6bb2b2 Mon Sep 17 00:00:00 2001
From: "Dustin J. Mitchell" <dustin@zmanda.com>
Date: Fri, 14 Aug 2009 16:35:39 -0400
Subject: [PATCH] fix XSS vulnerabilities in 0.7.8

---
 buildbot/status/web/baseweb.py   | 12 ++++++++----
 buildbot/status/web/build.py     |  5 +++--
 buildbot/status/web/builder.py   |  2 +-
 buildbot/status/web/grid.py      |  9 ++++++---
 buildbot/status/web/tests.py     |  2 +-
 buildbot/status/web/waterfall.py |  6 +++---
 6 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/buildbot/status/web/baseweb.py b/buildbot/status/web/baseweb.py
index 149266cdb53..47dd892cba0 100644
--- a/buildbot/status/web/baseweb.py
+++ b/buildbot/status/web/baseweb.py
@@ -102,10 +102,12 @@ def body(self, req):
         data = ""
 
         # really this is "up to %d builds"
+        html_branches = map(html.escape, branches)
         data += "<h1>Last %d finished builds: %s</h1>\n" % \
-                (numbuilds, ", ".join(branches))
+                (numbuilds, ", ".join(html_branches))
         if builders:
-            data += ("<p>of builders: %s</p>\n" % (", ".join(builders)))
+            html_builders = map(html.escape, builders)
+            data += ("<p>of builders: %s</p>\n" % (", ".join(html_builders)))
         data += "<ul>\n"
         got = 0
         building = False
@@ -156,8 +158,9 @@ def body(self, req):
                                                 numbuilds)
 
         data = ""
+        html_branches = map(html.escape, branches)
         data += ("<h1>Last %d builds of builder %s: %s</h1>\n" %
-                 (numbuilds, self.builder_name, ", ".join(branches)))
+                 (numbuilds, self.builder_name, ", ".join(html_branches)))
         data += "<ul>\n"
         got = 0
         for build in g:
@@ -192,7 +195,8 @@ def body(self, req):
 
         data = ""
 
-        data += "<h2>Latest builds: %s</h2>\n" % ", ".join(branches)
+        html_branches = map(html.escape, branches)
+        data += "<h2>Latest builds: %s</h2>\n" % ", ".join(html_branches)
         data += "<table>\n"
 
         building = False
diff --git a/buildbot/status/web/build.py b/buildbot/status/web/build.py
index 905bedc9700..755884dd6a6 100644
--- a/buildbot/status/web/build.py
+++ b/buildbot/status/web/build.py
@@ -209,8 +209,9 @@ def stop(self, req):
                 (b.getBuilder().getName(), b.getNumber()))
         name = req.args.get("username", ["<unknown>"])[0]
         comments = req.args.get("comments", ["<no reason specified>"])[0]
+        # html-quote both the username and comments, just to be safe
         reason = ("The web-page 'stop build' button was pressed by "
-                  "'%s': %s\n" % (name, comments))
+                  "'%s': %s\n" % (html.escape(name), html.escape(comments)))
         c.stopBuild(reason)
         # we're at http://localhost:8080/svn-hello/builds/5/stop?[args] and
         # we want to go to: http://localhost:8080/svn-hello
@@ -227,7 +228,7 @@ def rebuild(self, req):
         name = req.args.get("username", ["<unknown>"])[0]
         comments = req.args.get("comments", ["<no reason specified>"])[0]
         reason = ("The web-page 'rebuild' button was pressed by "
-                  "'%s': %s\n" % (name, comments))
+                  "'%s': %s\n" % (html.escape(name), html.escape(comments)))
         if not bc or not b.isFinished():
             log.msg("could not rebuild: bc=%s, isFinished=%s"
                     % (bc, b.isFinished()))
diff --git a/buildbot/status/web/builder.py b/buildbot/status/web/builder.py
index d625d431d35..c34b49ebfea 100644
--- a/buildbot/status/web/builder.py
+++ b/buildbot/status/web/builder.py
@@ -168,7 +168,7 @@ def force(self, req):
         revision = req.args.get("revision", [""])[0]
 
         r = "The web-page 'force build' button was pressed by '%s': %s\n" \
-            % (name, reason)
+            % (html.escape(name), html.escape(reason))
         log.msg("web forcebuild of builder '%s', branch='%s', revision='%s'"
                 % (self.builder_status.getName(), branch, revision))
 
diff --git a/buildbot/status/web/grid.py b/buildbot/status/web/grid.py
index 59a25aa0df5..983bf11bfeb 100644
--- a/buildbot/status/web/grid.py
+++ b/buildbot/status/web/grid.py
@@ -3,6 +3,8 @@
 import sys, time, os.path
 import urllib
 
+from twisted.web import html, resource
+
 from buildbot import util
 from buildbot import version
 from buildbot.status.web.base import HtmlResource
@@ -168,12 +170,13 @@ def body(self, request):
         data += '<tr>\n'
         data += '<td class="title"><a href="%s">%s</a>' % (projectURL, projectName)
         if categories:
+            html_categories = map(html.escape(categories))
             if len(categories) > 1:
-                data += '\n<br /><b>Categories:</b><br/>%s' % ('<br/>'.join(categories))
+                data += '\n<br /><b>Categories:</b><br/>%s' % ('<br/>'.join(html_categories))
             else:
-                data += '\n<br /><b>Category:</b> %s' % categories[0]
+                data += '\n<br /><b>Category:</b> %s' % html_categories[0]
         if branch != ANYBRANCH:
-            data += '\n<br /><b>Branch:</b> %s' % (branch or 'trunk')
+            data += '\n<br /><b>Branch:</b> %s' % (html.escape(branch) or 'trunk')
         data += '</td>\n'
         for stamp in stamps:
             data += self.stamp_td(stamp)
diff --git a/buildbot/status/web/tests.py b/buildbot/status/web/tests.py
index b96bba2225f..09b7be44d36 100644
--- a/buildbot/status/web/tests.py
+++ b/buildbot/status/web/tests.py
@@ -61,4 +61,4 @@ def getChild(self, path, request):
             result = self.test_results[name]
             return TestResult(name, result)
         except KeyError:
-            return NoResource("No such test name '%s'" % path)
+            return NoResource("No such test name '%s'" % html.escape(path))
diff --git a/buildbot/status/web/waterfall.py b/buildbot/status/web/waterfall.py
index 0fc04d1f0e2..bec2baec005 100644
--- a/buildbot/status/web/waterfall.py
+++ b/buildbot/status/web/waterfall.py
@@ -353,7 +353,7 @@ def body(self, request):
                                     '<input type="text" name="branch" '
                                     'value="%s">'
                                     '</td></tr>\n'
-                                    ) % (b,)
+                                    ) % (html.escape(b),)
         show_branches_input += '</table>\n'
 
         # this has a set of toggle-buttons to let the user choose the
@@ -396,7 +396,7 @@ def body(self, request):
                                   '<td><input type="radio" name="reload" '
                                   'value="%s" %s></td> '
                                   '<td>%s</td></tr>\n'
-                                  ) % (value, checked, name)
+                                  ) % (html.escape(value), checked, html.escape(name))
         show_reload_input += '</table>\n'
 
         fields = {"show_events_input": show_events_input,
@@ -545,7 +545,7 @@ def with_args(req, remove_args=[], new_args=[], new_path=None):
                     newargs[k].append(v)
                 else:
                     newargs[k] = [v]
-            newquery = "&".join(["%s=%s" % (k, v)
+            newquery = "&".join(["%s=%s" % (urllib.quote(k), urllib.quote(v))
                                  for k in newargs
                                  for v in newargs[k]
                                  ])