Skip to content
Browse files

fix XSS vulnerabilities in 0.7.8

  • Loading branch information...
1 parent da02ea1 commit 31946bda9f77edc3d11ea78a7513a7a3bb6bb2b2 Dustin J. Mitchell committed
View
12 buildbot/status/web/baseweb.py
@@ -102,10 +102,12 @@ def body(self, req):
data = ""
# really this is "up to %d builds"
+ html_branches = map(html.escape, branches)
data += "<h1>Last %d finished builds: %s</h1>\n" % \
- (numbuilds, ", ".join(branches))
+ (numbuilds, ", ".join(html_branches))
if builders:
- data += ("<p>of builders: %s</p>\n" % (", ".join(builders)))
+ html_builders = map(html.escape, builders)
+ data += ("<p>of builders: %s</p>\n" % (", ".join(html_builders)))
data += "<ul>\n"
got = 0
building = False
@@ -156,8 +158,9 @@ def body(self, req):
numbuilds)
data = ""
+ html_branches = map(html.escape, branches)
data += ("<h1>Last %d builds of builder %s: %s</h1>\n" %
- (numbuilds, self.builder_name, ", ".join(branches)))
+ (numbuilds, self.builder_name, ", ".join(html_branches)))
data += "<ul>\n"
got = 0
for build in g:
@@ -192,7 +195,8 @@ def body(self, req):
data = ""
- data += "<h2>Latest builds: %s</h2>\n" % ", ".join(branches)
+ html_branches = map(html.escape, branches)
+ data += "<h2>Latest builds: %s</h2>\n" % ", ".join(html_branches)
data += "<table>\n"
building = False
View
5 buildbot/status/web/build.py
@@ -209,8 +209,9 @@ def stop(self, req):
(b.getBuilder().getName(), b.getNumber()))
name = req.args.get("username", ["<unknown>"])[0]
comments = req.args.get("comments", ["<no reason specified>"])[0]
+ # html-quote both the username and comments, just to be safe
reason = ("The web-page 'stop build' button was pressed by "
- "'%s': %s\n" % (name, comments))
+ "'%s': %s\n" % (html.escape(name), html.escape(comments)))
c.stopBuild(reason)
# we're at http://localhost:8080/svn-hello/builds/5/stop?[args] and
# we want to go to: http://localhost:8080/svn-hello
@@ -227,7 +228,7 @@ def rebuild(self, req):
name = req.args.get("username", ["<unknown>"])[0]
comments = req.args.get("comments", ["<no reason specified>"])[0]
reason = ("The web-page 'rebuild' button was pressed by "
- "'%s': %s\n" % (name, comments))
+ "'%s': %s\n" % (html.escape(name), html.escape(comments)))
if not bc or not b.isFinished():
log.msg("could not rebuild: bc=%s, isFinished=%s"
% (bc, b.isFinished()))
View
2 buildbot/status/web/builder.py
@@ -168,7 +168,7 @@ def force(self, req):
revision = req.args.get("revision", [""])[0]
r = "The web-page 'force build' button was pressed by '%s': %s\n" \
- % (name, reason)
+ % (html.escape(name), html.escape(reason))
log.msg("web forcebuild of builder '%s', branch='%s', revision='%s'"
% (self.builder_status.getName(), branch, revision))
View
9 buildbot/status/web/grid.py
@@ -3,6 +3,8 @@
import sys, time, os.path
import urllib
+from twisted.web import html, resource
+
from buildbot import util
from buildbot import version
from buildbot.status.web.base import HtmlResource
@@ -168,12 +170,13 @@ def body(self, request):
data += '<tr>\n'
data += '<td class="title"><a href="%s">%s</a>' % (projectURL, projectName)
if categories:
+ html_categories = map(html.escape(categories))
if len(categories) > 1:
- data += '\n<br /><b>Categories:</b><br/>%s' % ('<br/>'.join(categories))
+ data += '\n<br /><b>Categories:</b><br/>%s' % ('<br/>'.join(html_categories))
else:
- data += '\n<br /><b>Category:</b> %s' % categories[0]
+ data += '\n<br /><b>Category:</b> %s' % html_categories[0]
if branch != ANYBRANCH:
- data += '\n<br /><b>Branch:</b> %s' % (branch or 'trunk')
+ data += '\n<br /><b>Branch:</b> %s' % (html.escape(branch) or 'trunk')
data += '</td>\n'
for stamp in stamps:
data += self.stamp_td(stamp)
View
2 buildbot/status/web/tests.py
@@ -61,4 +61,4 @@ def getChild(self, path, request):
result = self.test_results[name]
return TestResult(name, result)
except KeyError:
- return NoResource("No such test name '%s'" % path)
+ return NoResource("No such test name '%s'" % html.escape(path))
View
6 buildbot/status/web/waterfall.py
@@ -353,7 +353,7 @@ def body(self, request):
'<input type="text" name="branch" '
'value="%s">'
'</td></tr>\n'
- ) % (b,)
+ ) % (html.escape(b),)
show_branches_input += '</table>\n'
# this has a set of toggle-buttons to let the user choose the
@@ -396,7 +396,7 @@ def body(self, request):
'<td><input type="radio" name="reload" '
'value="%s" %s></td> '
'<td>%s</td></tr>\n'
- ) % (value, checked, name)
+ ) % (html.escape(value), checked, html.escape(name))
show_reload_input += '</table>\n'
fields = {"show_events_input": show_events_input,
@@ -545,7 +545,7 @@ def with_args(req, remove_args=[], new_args=[], new_path=None):
newargs[k].append(v)
else:
newargs[k] = [v]
- newquery = "&".join(["%s=%s" % (k, v)
+ newquery = "&".join(["%s=%s" % (urllib.quote(k), urllib.quote(v))
for k in newargs
for v in newargs[k]
])

0 comments on commit 31946bd

Please sign in to comment.
Something went wrong with that request. Please try again.