From 470997ae3b85b2ab6fa5d01304564e9a23677f74 Mon Sep 17 00:00:00 2001 From: marcosptf Date: Sun, 19 May 2019 10:53:19 -0300 Subject: [PATCH 1/8] WIP: fixing XSS vulnerability --- quokka/admin/actions.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/quokka/admin/actions.py b/quokka/admin/actions.py index 600d603d5..d29ab17e6 100644 --- a/quokka/admin/actions.py +++ b/quokka/admin/actions.py @@ -82,6 +82,10 @@ def action_create_userprofile(self, ids): existing_block = current_app.db.get( 'index', {'content_type': 'block', 'slug': fullslug} ) + + #fix vulnerabillity here + #test sanity variables values + if existing_block: blocklink = url_for( 'quokka.core.content.admin.blockview.edit_view', From 0239d7d4abdf3cccd8962c498fb0c56b80489164 Mon Sep 17 00:00:00 2001 From: marcosptf Date: Sun, 19 May 2019 10:56:21 -0300 Subject: [PATCH 2/8] WIP: fixing vulnerability --- quokka/core/content/views.py | 1 + 1 file changed, 1 insertion(+) diff --git a/quokka/core/content/views.py b/quokka/core/content/views.py index 74c72d288..590f875b6 100644 --- a/quokka/core/content/views.py +++ b/quokka/core/content/views.py @@ -91,6 +91,7 @@ def set_elements_visibility(self, context, content_type): class ArticleListView(BaseView): + #apply fixes to vulnerability XXE def get(self, category=None, tag=None, author=None, page_number=1, ext=None): context = {} From 538b074e792bef1abd293af7021cbada8b1207c8 Mon Sep 17 00:00:00 2001 From: marcosptf Date: Thu, 6 Jun 2019 08:45:50 -0300 Subject: [PATCH 3/8] fixing pep8 --- quokka/admin/actions.py | 4 ++-- quokka/admin/wtforms_html5.py | 2 +- quokka/core/content/models.py | 14 +++++++------- quokka/core/content/utils.py | 5 +++-- quokka/core/content/views.py | 5 +++-- quokka/core/db.py | 19 ++++++++----------- quokka/core/views/sitemap.py | 10 +++++----- quokka/utils/upload.py | 2 +- 8 files changed, 30 insertions(+), 31 deletions(-) diff --git a/quokka/admin/actions.py b/quokka/admin/actions.py index d29ab17e6..42c4b17de 100644 --- a/quokka/admin/actions.py +++ b/quokka/admin/actions.py @@ -83,8 +83,8 @@ def action_create_userprofile(self, ids): 'index', {'content_type': 'block', 'slug': fullslug} ) - #fix vulnerabillity here - #test sanity variables values + # fix vulnerabillity here + # test sanity variables values if existing_block: blocklink = url_for( diff --git a/quokka/admin/wtforms_html5.py b/quokka/admin/wtforms_html5.py index ccc3a1c09..85e01933f 100644 --- a/quokka/admin/wtforms_html5.py +++ b/quokka/admin/wtforms_html5.py @@ -195,7 +195,7 @@ def set_title(field, render_kw=None): """ if render_kw is None: render_kw = {} - if 'title' not in render_kw and getattr(field, 'description'): + if 'title' not in render_kw and getattr(field, 'description', None): render_kw['title'] = '{}'.format(field.description) return render_kw diff --git a/quokka/core/content/models.py b/quokka/core/content/models.py index 6d2fcc4d9..5358ed079 100644 --- a/quokka/core/content/models.py +++ b/quokka/core/content/models.py @@ -230,13 +230,13 @@ def metadata(self): # TODO: get metadata from database # TODO: implement libratar/gravatar # return { - # 'cover': 'foo', - # 'author_gravatar': 'http://i.pravatar.cc/300', - # 'about_author': 'About Author', - # 'translations': ['en'], - # 'og_image': 'foo', - # 'series': 'aa', - # 'asides': 'aaa' + # 'cover': 'foo', + # 'author_gravatar': 'http://i.pravatar.cc/300', + # 'about_author': 'About Author', + # 'translations': ['en'], + # 'og_image': 'foo', + # 'series': 'aa', + # 'asides': 'aaa' # } data = {} data.update(custom_var_dict(self.data.get('custom_vars'))) diff --git a/quokka/core/content/utils.py b/quokka/core/content/utils.py index 57aaef312..9d5deb8ce 100644 --- a/quokka/core/content/utils.py +++ b/quokka/core/content/utils.py @@ -10,9 +10,10 @@ def url_for_content(content, include_ext=True): else: data = content + category_slug_data = data.get('category_slug') + category_data = slugify_category(data.get('category') or '') category_slug = ( - data.get('category_slug') or - slugify_category(data.get('category') or '') + category_slug_data or category_data ) slug = data.get('slug') or slugify(data.get('title')) diff --git a/quokka/core/content/views.py b/quokka/core/content/views.py index 74c72d288..08d6d9bc1 100644 --- a/quokka/core/content/views.py +++ b/quokka/core/content/views.py @@ -255,6 +255,8 @@ def render_rss(self, content_type, templates, **context): for content in contents: content = make_model(content) + content_data = content.title.encode('utf-8') + content_data += content.url.encode('utf-8') if content.date > rss_pubdate: rss_pubdate = content.date @@ -267,8 +269,7 @@ def render_rss(self, content_type, templates, **context): author=str(content.author), categories=[str(content.tags)], guid=hashlib.sha1( - content.title.encode('utf-8') + - content.url.encode('utf-8') + content_data ).hexdigest(), pubDate=content.date, ) diff --git a/quokka/core/db.py b/quokka/core/db.py index 431c55aea..afc09ad77 100644 --- a/quokka/core/db.py +++ b/quokka/core/db.py @@ -183,17 +183,14 @@ def page_set(self, *args, **kwargs): return self.content_set(*args, **kwargs) def block_set(self, *args, **kwargs): - kwargs.setdefault( - 'sort', - self.app.theme_context.get( - 'BLOCK_ORDER_BY', [('title', -1)] - ) - ) - if not args: - args = [{'content_type': 'block'}] - elif isinstance(args[0], dict): - args[0]['content_type'] = 'block' - return self.content_set(*args, **kwargs) + kwargs.setdefault('sort', self.app.theme_context.get( + 'BLOCK_ORDER_BY', [('title', -1)] + )) + if not args: + args = [{'content_type': 'block'}] + elif isinstance(args[0], dict): + args[0]['content_type'] = 'block' + return self.content_set(*args, **kwargs) def select(self, colname, *args, **kwargs): return self.get_collection(colname).find(*args, **kwargs) diff --git a/quokka/core/views/sitemap.py b/quokka/core/views/sitemap.py index 871372817..2cdca943b 100644 --- a/quokka/core/views/sitemap.py +++ b/quokka/core/views/sitemap.py @@ -11,12 +11,12 @@ def get_contents(self): TODO: Should include extra paths, fixed paths config based paths, static paths """ + content = self.get_index() + self.get_categories() + content += self.get_tags() + self.get_authors() + content += self.get_articles_and_pages() + return ( - self.get_index() + - self.get_categories() + - self.get_tags() + - self.get_authors() + - self.get_articles_and_pages() + content ) def get_index(self): diff --git a/quokka/utils/upload.py b/quokka/utils/upload.py index 251e1c50f..bc8042679 100644 --- a/quokka/utils/upload.py +++ b/quokka/utils/upload.py @@ -9,7 +9,7 @@ def dated_path(obj, file_data): try: - prefix = getattr(obj, 'model_name') + prefix = getattr(obj, 'model_name', None) except BaseException: prefix = "undefined" From 4d07b172037f109b5f1b25760c99d418a0b44438 Mon Sep 17 00:00:00 2001 From: marcosptf Date: Thu, 6 Jun 2019 09:05:39 -0300 Subject: [PATCH 4/8] fixing pep8 --- quokka/core/content/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quokka/core/content/views.py b/quokka/core/content/views.py index b4215e91f..48fe170aa 100644 --- a/quokka/core/content/views.py +++ b/quokka/core/content/views.py @@ -91,7 +91,7 @@ def set_elements_visibility(self, context, content_type): class ArticleListView(BaseView): - #apply fixes to vulnerability XXE + # apply fixes to vulnerability XXE def get(self, category=None, tag=None, author=None, page_number=1, ext=None): context = {} From fece2a8656a8a76215ec1ab6961c7bb9440619c7 Mon Sep 17 00:00:00 2001 From: marcosptf Date: Sun, 9 Jun 2019 17:59:17 -0300 Subject: [PATCH 5/8] rollback files from original version - 0 --- quokka/admin/actions.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/quokka/admin/actions.py b/quokka/admin/actions.py index 42c4b17de..600d603d5 100644 --- a/quokka/admin/actions.py +++ b/quokka/admin/actions.py @@ -82,10 +82,6 @@ def action_create_userprofile(self, ids): existing_block = current_app.db.get( 'index', {'content_type': 'block', 'slug': fullslug} ) - - # fix vulnerabillity here - # test sanity variables values - if existing_block: blocklink = url_for( 'quokka.core.content.admin.blockview.edit_view', From fcba0e8e4710861476a2a523765ff1295e53475b Mon Sep 17 00:00:00 2001 From: marcosptf Date: Sun, 9 Jun 2019 18:00:19 -0300 Subject: [PATCH 6/8] rollback files from original version - 1 --- quokka/core/content/views.py | 1 - 1 file changed, 1 deletion(-) diff --git a/quokka/core/content/views.py b/quokka/core/content/views.py index 48fe170aa..08d6d9bc1 100644 --- a/quokka/core/content/views.py +++ b/quokka/core/content/views.py @@ -91,7 +91,6 @@ def set_elements_visibility(self, context, content_type): class ArticleListView(BaseView): - # apply fixes to vulnerability XXE def get(self, category=None, tag=None, author=None, page_number=1, ext=None): context = {} From d0a448bf234361980be34bc2ed345c94b266705b Mon Sep 17 00:00:00 2001 From: marcosptf Date: Wed, 17 Jul 2019 05:45:56 -0300 Subject: [PATCH 7/8] remove todo list --- quokka/core/content/models.py | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/quokka/core/content/models.py b/quokka/core/content/models.py index 5358ed079..3c7eb4ffb 100644 --- a/quokka/core/content/models.py +++ b/quokka/core/content/models.py @@ -227,17 +227,6 @@ def locale_modified(self): @property def metadata(self): - # TODO: get metadata from database - # TODO: implement libratar/gravatar - # return { - # 'cover': 'foo', - # 'author_gravatar': 'http://i.pravatar.cc/300', - # 'about_author': 'About Author', - # 'translations': ['en'], - # 'og_image': 'foo', - # 'series': 'aa', - # 'asides': 'aaa' - # } data = {} data.update(custom_var_dict(self.data.get('custom_vars'))) return data From 9ab02456bf6de5a54e02ff47be34ba504bd33a5d Mon Sep 17 00:00:00 2001 From: marcosptf Date: Wed, 17 Jul 2019 05:56:41 -0300 Subject: [PATCH 8/8] fixing data.get --- quokka/core/content/utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/quokka/core/content/utils.py b/quokka/core/content/utils.py index 9d5deb8ce..92d4f7f5c 100644 --- a/quokka/core/content/utils.py +++ b/quokka/core/content/utils.py @@ -11,7 +11,7 @@ def url_for_content(content, include_ext=True): data = content category_slug_data = data.get('category_slug') - category_data = slugify_category(data.get('category') or '') + category_data = slugify_category(data.get('category', '')) category_slug = ( category_slug_data or category_data )