Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge branch 'directory-xss'
  • Loading branch information
minrk committed Nov 18, 2018
2 parents 588b1f8 + 1ed04ff commit 288b73e
Show file tree
Hide file tree
Showing 2 changed files with 55 additions and 23 deletions.
15 changes: 15 additions & 0 deletions docs/source/changelog.rst
Expand Up @@ -21,6 +21,21 @@ We strongly recommend that you upgrade pip to version 9+ of pip before upgrading
Use ``pip install pip --upgrade`` to upgrade pip. Check pip version with
``pip --version``.

.. _release-5.7.2:

5.7.2
-----

5.7.2 contains a security fix preventing malicious directory names
from being able to execute javascript. CVE request pending.

.. _release-5.7.1:

5.7.1
-----

5.7.1 contains a security fix preventing nbconvert endpoints from executing javascript with access to the server API. CVE request pending.

.. _release-5.7.0:

5.7.0
Expand Down
63 changes: 40 additions & 23 deletions notebook/static/tree/js/notebooklist.js
Expand Up @@ -383,18 +383,28 @@ define([
breadcrumb.empty();
var list_item = $('<li/>');
var root_url = utils.url_path_join(that.base_url, '/tree');
var root = $('<li/>').append('<a href="' + root_url + '"><i class="fa fa-folder"></i></a>').click(function(e) {
// Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
if(e.altKey || e.metaKey || e.shiftKey) {
return true;
}
var path = '';
window.history.pushState({
path: path
}, 'Home', utils.url_path_join(that.base_url, 'tree'));
that.update_location(path);
return false;
});
var root = $('<li/>').append(
$("<a/>")
.attr('href', root_url)
.append(
$("<i/>")
.addClass('fa fa-folder')
)
.click(function(e) {
// Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
if(e.altKey || e.metaKey || e.shiftKey) {
return true;
}
var path = '';
window.history.pushState(
{path: path},
'Home',
utils.url_path_join(that.base_url, 'tree')
);
that.update_location(path);
return false;
})
);
breadcrumb.append(root);
var path_parts = [];
this.notebook_path.split('/').forEach(function(path_part) {
Expand All @@ -405,17 +415,24 @@ define([
'/tree',
utils.encode_uri_components(path)
);
var crumb = $('<li/>').append('<a href="' + url + '">' + path_part + '</a>').click(function(e) {
// Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
if(e.altKey || e.metaKey || e.shiftKey) {
return true;
}
window.history.pushState({
path: path
}, path, url);
that.update_location(path);
return false;
});
var crumb = $('<li/>').append(
$('<a/>')
.attr('href', url)
.text(path_part)
.click(function(e) {
// Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
if(e.altKey || e.metaKey || e.shiftKey) {
return true;
}
window.history.pushState(
{path: path},
path,
url
);
that.update_location(path);
return false;
})
);
breadcrumb.append(crumb);
});
this.contents.list_contents(that.notebook_path).then(
Expand Down

0 comments on commit 288b73e

Please sign in to comment.