2 new commits in galaxy-central:
https://bitbucket.org/galaxy/galaxy-central/commits/c53f747732a1/
Changeset: c53f747732a1
Branch: next-stable
User: guerler
Date: 2014-11-25 19:04:43+00:00
Summary: Fixes security issue 2.2 for regular grid values
Affected #: 1 file
diff -r 8e001650dc70e9fe1230b5ffca7f1d167d77fd3c -r c53f747732a115c7ec6ed3e192bb059d12266865 lib/galaxy/web/framework/helpers/grids.py
--- a/lib/galaxy/web/framework/helpers/grids.py
+++ b/lib/galaxy/web/framework/helpers/grids.py
@@ -8,6 +8,7 @@
from galaxy.web.framework import decorators
from galaxy.web.framework import url_for
from galaxy.web.framework.helpers import iff
+from markupsafe import escape
from sqlalchemy.sql.expression import and_, func, or_
@@ -362,7 +363,7 @@
value = None
if self.format:
value = self.format( value )
- return value
+ return escape(value)
def get_link( self, trans, grid, item ):
if self.link and self.link( item ):
return self.link( item )
https://bitbucket.org/galaxy/galaxy-central/commits/c0a41931fcfc/
Changeset: c0a41931fcfc
User: guerler
Date: 2014-11-25 19:05:02+00:00
Summary: Merge
Affected #: 9 files
diff -r a0eda112fa3b6456a5ae663ff2ddcc0137c87714 -r c0a41931fcfc00b52423667d33910eeb59cf5ac6 client/galaxy/scripts/galaxy.menu.js
--- a/client/galaxy/scripts/galaxy.menu.js
+++ b/client/galaxy/scripts/galaxy.menu.js
@@ -24,7 +24,7 @@
var tab_analysis = new mod_masthead.GalaxyMastheadTab({
id : "analysis",
title : "Analyze Data",
- content : "root/index",
+ content : "",
title_attribute : 'Analysis home view'
});
this.masthead.append(tab_analysis);
diff -r a0eda112fa3b6456a5ae663ff2ddcc0137c87714 -r c0a41931fcfc00b52423667d33910eeb59cf5ac6 config/galaxy.ini.sample
--- a/config/galaxy.ini.sample
+++ b/config/galaxy.ini.sample
@@ -523,6 +523,15 @@
# it faster on the fly.
#upstream_gzip = False
+# The following default adds a header to web request responses that will cause
+# modern web browsers to not allow Galaxy to be embedded in the frames of web
+# applications hosted at other hosts - this can help prevent a class of attack
+# called clickjacking (https://www.owasp.org/index.php/Clickjacking). If you
+# configuring a proxy to sit infront of Galaxy - please ensure this header
+# remains intact to protect your users. Uncomment and leave empty to not set
+# the `X-Frame-Options` header.
+#x_frame_options = SAMEORIGIN
+
# nginx can also handle file uploads (user-to-Galaxy) via nginx_upload_module.
# Configuration for this is complex and explained in detail in the
# documentation linked above. The upload store is a temporary directory in
diff -r a0eda112fa3b6456a5ae663ff2ddcc0137c87714 -r c0a41931fcfc00b52423667d33910eeb59cf5ac6 lib/galaxy/config.py
--- a/lib/galaxy/config.py
+++ b/lib/galaxy/config.py
@@ -96,6 +96,7 @@
# been migrated from the Galaxy code distribution to the Tool Shed.
self.check_migrate_tools = string_as_bool( kwargs.get( 'check_migrate_tools', True ) )
self.shed_tool_data_path = kwargs.get( "shed_tool_data_path", None )
+ self.x_frame_options = kwargs.get( "x_frame_options", "SAMEORIGIN" )
if self.shed_tool_data_path:
self.shed_tool_data_path = resolve_path( self.shed_tool_data_path, self.root )
else:
diff -r a0eda112fa3b6456a5ae663ff2ddcc0137c87714 -r c0a41931fcfc00b52423667d33910eeb59cf5ac6 lib/galaxy/web/framework/helpers/__init__.py
--- a/lib/galaxy/web/framework/helpers/__init__.py
+++ b/lib/galaxy/web/framework/helpers/__init__.py
@@ -7,7 +7,7 @@
from datetime import datetime, timedelta
from galaxy import eggs
from galaxy.util import hash_util
-from galaxy.util.json import dumps
+from galaxy.util.json import safe_dumps as dumps
eggs.require( "MarkupSafe" ) #required by WebHelpers
eggs.require( "WebHelpers" )
from webhelpers import date
diff -r a0eda112fa3b6456a5ae663ff2ddcc0137c87714 -r c0a41931fcfc00b52423667d33910eeb59cf5ac6 lib/galaxy/web/framework/helpers/grids.py
--- a/lib/galaxy/web/framework/helpers/grids.py
+++ b/lib/galaxy/web/framework/helpers/grids.py
@@ -8,6 +8,7 @@
from galaxy.web.framework import decorators
from galaxy.web.framework import url_for
from galaxy.web.framework.helpers import iff
+from markupsafe import escape
from sqlalchemy.sql.expression import and_, func, or_
@@ -362,7 +363,7 @@
value = None
if self.format:
value = self.format( value )
- return value
+ return escape(value)
def get_link( self, trans, grid, item ):
if self.link and self.link( item ):
return self.link( item )
diff -r a0eda112fa3b6456a5ae663ff2ddcc0137c87714 -r c0a41931fcfc00b52423667d33910eeb59cf5ac6 lib/galaxy/web/framework/webapp.py
--- a/lib/galaxy/web/framework/webapp.py
+++ b/lib/galaxy/web/framework/webapp.py
@@ -175,7 +175,11 @@
base.DefaultWebTransaction.__init__( self, environ )
self.setup_i18n()
self.expunge_all()
- self.debug = asbool( self.app.config.get( 'debug', False ) )
+ config = self.app.config
+ self.debug = asbool( config.get( 'debug', False ) )
+ x_frame_options = getattr( config, 'x_frame_options', None )
+ if x_frame_options:
+ self.response.headers['X-Frame-Options'] = x_frame_options
# Flag indicating whether we are in workflow building mode (means
# that the current history should not be used for parameter values
# and such).
@@ -202,9 +206,9 @@
# When we've authenticated by session, we have to check the
# following.
# Prevent deleted users from accessing Galaxy
- if self.app.config.use_remote_user and self.galaxy_session.user.deleted:
+ if config.use_remote_user and self.galaxy_session.user.deleted:
self.response.send_redirect( url_for( '/static/user_disabled.html' ) )
- if self.app.config.require_login:
+ if config.require_login:
self._ensure_logged_in_user( environ, session_cookie )
def setup_i18n( self ):
@@ -261,6 +265,9 @@
tstamp = time.localtime( time.time() + 3600 * 24 * age )
self.response.cookies[name]['expires'] = time.strftime( '%a, %d-%b-%Y %H:%M:%S GMT', tstamp )
self.response.cookies[name]['version'] = version
+ https = self.request.environ[ "wsgi.url_scheme" ] == "https"
+ if https:
+ self.response.cookies[name]['secure'] = True
try:
self.response.cookies[name]['httponly'] = True
except CookieError, e:
diff -r a0eda112fa3b6456a5ae663ff2ddcc0137c87714 -r c0a41931fcfc00b52423667d33910eeb59cf5ac6 static/scripts/galaxy.menu.js
--- a/static/scripts/galaxy.menu.js
+++ b/static/scripts/galaxy.menu.js
@@ -24,7 +24,7 @@
var tab_analysis = new mod_masthead.GalaxyMastheadTab({
id : "analysis",
title : "Analyze Data",
- content : "root/index",
+ content : "",
title_attribute : 'Analysis home view'
});
this.masthead.append(tab_analysis);
diff -r a0eda112fa3b6456a5ae663ff2ddcc0137c87714 -r c0a41931fcfc00b52423667d33910eeb59cf5ac6 static/scripts/packed/galaxy.menu.js
--- a/static/scripts/packed/galaxy.menu.js
+++ b/static/scripts/packed/galaxy.menu.js
@@ -1,1 +1,1 @@
-define(["galaxy.masthead"],function(b){var a=Backbone.Model.extend({options:null,masthead:null,initialize:function(c){this.options=c.config;this.masthead=c.masthead;this.create()},create:function(){var e=new b.GalaxyMastheadTab({id:"analysis",title:"Analyze Data",content:"root/index",title_attribute:"Analysis home view"});this.masthead.append(e);var g={id:"workflow",title:"Workflow",content:"workflow",title_attribute:"Chain tools into workflows"};if(!this.options.user.valid){g.disabled=true}var d=new b.GalaxyMastheadTab(g);this.masthead.append(d);var i=new b.GalaxyMastheadTab({id:"shared",title:"Shared Data",content:"library/index",title_attribute:"Access published resources"});i.add({title:"Data Libraries",content:"library/index"});i.add({title:"Data Libraries Beta",content:"library/list",divider:true});i.add({title:"Published Histories",content:"history/list_published"});i.add({title:"Published Workflows",content:"workflow/list_published"});i.add({title:"Published Visualizations",content:"visualization/list_published"});i.add({title:"Published Pages",content:"page/list_published"});this.masthead.append(i);if(this.options.user.requests){var j=new b.GalaxyMastheadTab({id:"lab",title:"Lab"});j.add({title:"Sequencing Requests",content:"requests/index"});j.add({title:"Find Samples",content:"requests/find_samples_index"});j.add({title:"Help",content:this.options.lims_doc_url});this.masthead.append(j)}var c={id:"visualization",title:"Visualization",content:"visualization/list",title_attribute:"Visualize datasets"};if(!this.options.user.valid){c.disabled=true}var m=new b.GalaxyMastheadTab(c);if(this.options.user.valid){m.add({title:"New Track Browser",content:"visualization/trackster",target:"_frame"});m.add({title:"Saved Visualizations",content:"visualization/list",target:"_frame"})}this.masthead.append(m);if(this.options.enable_cloud_launch){var f=new b.GalaxyMastheadTab({id:"cloud",title:"Cloud",content:"cloudlaunch/index"});f.add({title:"New Cloud Cluster",content:"cloudlaunch/index"});this.masthead.append(f)}if(this.options.is_admin_user){var h=new b.GalaxyMastheadTab({id:"admin",title:"Admin",content:"admin/index",extra_class:"admin-only",title_attribute:"Administer this Galaxy"});this.masthead.append(h)}var l=new b.GalaxyMastheadTab({id:"help",title:"Help",title_attribute:"Support, contact, and community hubs"});if(this.options.biostar_url){l.add({title:"Galaxy Biostar",content:this.options.biostar_url_redirect,target:"_blank"});l.add({title:"Ask a question",content:"biostar/biostar_question_redirect",target:"_blank"})}l.add({title:"Support",content:this.options.support_url,target:"_blank"});l.add({title:"Search",content:this.options.search_url,target:"_blank"});l.add({title:"Mailing Lists",content:this.options.mailing_lists,target:"_blank"});l.add({title:"Videos",content:this.options.screencasts_url,target:"_blank"});l.add({title:"Wiki",content:this.options.wiki_url,target:"_blank"});l.add({title:"How to Cite Galaxy",content:this.options.citation_url,target:"_blank"});if(this.options.terms_url){l.add({title:"Terms and Conditions",content:this.options.terms_url,target:"_blank"})}this.masthead.append(l);if(!this.options.user.valid){var k=new b.GalaxyMastheadTab({id:"user",title:"User",extra_class:"loggedout-only",title_attribute:"Account registration or login"});k.add({title:"Login",content:"user/login",target:"galaxy_main"});if(this.options.allow_user_creation){k.add({title:"Register",content:"user/create",target:"galaxy_main"})}this.masthead.append(k)}else{var k=new b.GalaxyMastheadTab({id:"user",title:"User",extra_class:"loggedin-only",title_attribute:"Account preferences and saved data"});k.add({title:"Logged in as "+this.options.user.email});k.add({title:"Preferences",content:"user?cntrller=user",target:"galaxy_main"});k.add({title:"Custom Builds",content:"user/dbkeys",target:"galaxy_main"});k.add({title:"Logout",content:"user/logout",target:"_top",divider:true});k.add({title:"Saved Histories",content:"history/list",target:"galaxy_main"});k.add({title:"Saved Datasets",content:"dataset/list",target:"galaxy_main"});k.add({title:"Saved Pages",content:"page/list",target:"_top"});k.add({title:"API Keys",content:"user/api_keys?cntrller=user",target:"galaxy_main"});if(this.options.use_remote_user){k.add({title:"Public Name",content:"user/edit_username?cntrller=user",target:"galaxy_main"})}this.masthead.append(k)}if(this.options.active_view){this.masthead.highlight(this.options.active_view)}}});return{GalaxyMenu:a}});
\ No newline at end of file
+define(["galaxy.masthead"],function(b){var a=Backbone.Model.extend({options:null,masthead:null,initialize:function(c){this.options=c.config;this.masthead=c.masthead;this.create()},create:function(){var e=new b.GalaxyMastheadTab({id:"analysis",title:"Analyze Data",content:"",title_attribute:"Analysis home view"});this.masthead.append(e);var g={id:"workflow",title:"Workflow",content:"workflow",title_attribute:"Chain tools into workflows"};if(!this.options.user.valid){g.disabled=true}var d=new b.GalaxyMastheadTab(g);this.masthead.append(d);var i=new b.GalaxyMastheadTab({id:"shared",title:"Shared Data",content:"library/index",title_attribute:"Access published resources"});i.add({title:"Data Libraries",content:"library/index"});i.add({title:"Data Libraries Beta",content:"library/list",divider:true});i.add({title:"Published Histories",content:"history/list_published"});i.add({title:"Published Workflows",content:"workflow/list_published"});i.add({title:"Published Visualizations",content:"visualization/list_published"});i.add({title:"Published Pages",content:"page/list_published"});this.masthead.append(i);if(this.options.user.requests){var j=new b.GalaxyMastheadTab({id:"lab",title:"Lab"});j.add({title:"Sequencing Requests",content:"requests/index"});j.add({title:"Find Samples",content:"requests/find_samples_index"});j.add({title:"Help",content:this.options.lims_doc_url});this.masthead.append(j)}var c={id:"visualization",title:"Visualization",content:"visualization/list",title_attribute:"Visualize datasets"};if(!this.options.user.valid){c.disabled=true}var m=new b.GalaxyMastheadTab(c);if(this.options.user.valid){m.add({title:"New Track Browser",content:"visualization/trackster",target:"_frame"});m.add({title:"Saved Visualizations",content:"visualization/list",target:"_frame"})}this.masthead.append(m);if(this.options.enable_cloud_launch){var f=new b.GalaxyMastheadTab({id:"cloud",title:"Cloud",content:"cloudlaunch/index"});f.add({title:"New Cloud Cluster",content:"cloudlaunch/index"});this.masthead.append(f)}if(this.options.is_admin_user){var h=new b.GalaxyMastheadTab({id:"admin",title:"Admin",content:"admin/index",extra_class:"admin-only",title_attribute:"Administer this Galaxy"});this.masthead.append(h)}var l=new b.GalaxyMastheadTab({id:"help",title:"Help",title_attribute:"Support, contact, and community hubs"});if(this.options.biostar_url){l.add({title:"Galaxy Biostar",content:this.options.biostar_url_redirect,target:"_blank"});l.add({title:"Ask a question",content:"biostar/biostar_question_redirect",target:"_blank"})}l.add({title:"Support",content:this.options.support_url,target:"_blank"});l.add({title:"Search",content:this.options.search_url,target:"_blank"});l.add({title:"Mailing Lists",content:this.options.mailing_lists,target:"_blank"});l.add({title:"Videos",content:this.options.screencasts_url,target:"_blank"});l.add({title:"Wiki",content:this.options.wiki_url,target:"_blank"});l.add({title:"How to Cite Galaxy",content:this.options.citation_url,target:"_blank"});if(this.options.terms_url){l.add({title:"Terms and Conditions",content:this.options.terms_url,target:"_blank"})}this.masthead.append(l);if(!this.options.user.valid){var k=new b.GalaxyMastheadTab({id:"user",title:"User",extra_class:"loggedout-only",title_attribute:"Account registration or login"});k.add({title:"Login",content:"user/login",target:"galaxy_main"});if(this.options.allow_user_creation){k.add({title:"Register",content:"user/create",target:"galaxy_main"})}this.masthead.append(k)}else{var k=new b.GalaxyMastheadTab({id:"user",title:"User",extra_class:"loggedin-only",title_attribute:"Account preferences and saved data"});k.add({title:"Logged in as "+this.options.user.email});k.add({title:"Preferences",content:"user?cntrller=user",target:"galaxy_main"});k.add({title:"Custom Builds",content:"user/dbkeys",target:"galaxy_main"});k.add({title:"Logout",content:"user/logout",target:"_top",divider:true});k.add({title:"Saved Histories",content:"history/list",target:"galaxy_main"});k.add({title:"Saved Datasets",content:"dataset/list",target:"galaxy_main"});k.add({title:"Saved Pages",content:"page/list",target:"_top"});k.add({title:"API Keys",content:"user/api_keys?cntrller=user",target:"galaxy_main"});if(this.options.use_remote_user){k.add({title:"Public Name",content:"user/edit_username?cntrller=user",target:"galaxy_main"})}this.masthead.append(k)}if(this.options.active_view){this.masthead.highlight(this.options.active_view)}}});return{GalaxyMenu:a}});
\ No newline at end of file
Repository URL: https://bitbucket.org/galaxy/galaxy-central/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
1 new commit in galaxy-central:
https://bitbucket.org/galaxy/galaxy-central/commits/8e001650dc70/
Changeset: 8e001650dc70
Branch: next-stable
User: dannon
Date: 2014-11-25 18:32:15+00:00
Summary: Swap webhelpers to use safe dumps.
Affected #: 1 file
diff -r 4d173afb6f7c0c59a36d35a23f4f0eecd30e79a6 -r 8e001650dc70e9fe1230b5ffca7f1d167d77fd3c lib/galaxy/web/framework/helpers/__init__.py
--- a/lib/galaxy/web/framework/helpers/__init__.py
+++ b/lib/galaxy/web/framework/helpers/__init__.py
@@ -7,7 +7,7 @@
from datetime import datetime, timedelta
from galaxy import eggs
from galaxy.util import hash_util
-from galaxy.util.json import dumps
+from galaxy.util.json import safe_dumps as dumps
eggs.require( "MarkupSafe" ) #required by WebHelpers
eggs.require( "WebHelpers" )
from webhelpers import date
Repository URL: https://bitbucket.org/galaxy/galaxy-central/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
1 new commit in galaxy-central:
https://bitbucket.org/galaxy/galaxy-central/commits/a0eda112fa3b/
Changeset: a0eda112fa3b
User: martenson
Date: 2014-11-25 17:27:56+00:00
Summary: provide defaults for remote_repository_url and homepage_url, move the optional arguments to the end of the list
Affected #: 2 files
diff -r 624c1f52f62771dda89de969eed67c94c4bfeef5 -r a0eda112fa3b6456a5ae663ff2ddcc0137c87714 lib/galaxy/webapps/tool_shed/controllers/repository.py
--- a/lib/galaxy/webapps/tool_shed/controllers/repository.py
+++ b/lib/galaxy/webapps/tool_shed/controllers/repository.py
@@ -1084,12 +1084,12 @@
repository, message = repository_util.create_repository( trans.app,
name,
repository_type,
- remote_repository_url,
- homepage_url,
description,
long_description,
user_id=trans.user.id,
- category_ids=category_ids )
+ category_ids=category_ids,
+ remote_repository_url=remote_repository_url,
+ homepage_url=homepage_url )
trans.response.send_redirect( web.url_for( controller='repository',
action='manage_repository',
message=message,
diff -r 624c1f52f62771dda89de969eed67c94c4bfeef5 -r a0eda112fa3b6456a5ae663ff2ddcc0137c87714 lib/tool_shed/util/repository_util.py
--- a/lib/tool_shed/util/repository_util.py
+++ b/lib/tool_shed/util/repository_util.py
@@ -120,7 +120,7 @@
tool_dependencies )
return repo_info_dict
-def create_repository( app, name, type, remote_repository_url, homepage_url, description, long_description, user_id, category_ids=[] ):
+def create_repository( app, name, type, description, long_description, user_id, category_ids=[], remote_repository_url=None, homepage_url=None ):
"""Create a new ToolShed repository"""
sa_session = app.model.context.current
# Add the repository record to the database.
Repository URL: https://bitbucket.org/galaxy/galaxy-central/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
1 new commit in galaxy-central:
https://bitbucket.org/galaxy/galaxy-central/commits/c7d09076b630/
Changeset: c7d09076b630
Branch: next-stable
User: dannon
Date: 2014-11-25 17:27:41+00:00
Summary: Merged in jmchilton/galaxy-central-fork-1/next-stable (pull request #573)
Enhanced client security.
Affected #: 3 files
diff -r 39ebfe2e1f1806137bb3f117845f788daaf185aa -r c7d09076b630f1ea42fc62e3e4c2dae5332b6892 config/galaxy.ini.sample
--- a/config/galaxy.ini.sample
+++ b/config/galaxy.ini.sample
@@ -523,6 +523,15 @@
# it faster on the fly.
#upstream_gzip = False
+# The following default adds a header to web request responses that will cause
+# modern web browsers to not allow Galaxy to be embedded in the frames of web
+# applications hosted at other hosts - this can help prevent a class of attack
+# called clickjacking (https://www.owasp.org/index.php/Clickjacking). If you
+# configuring a proxy to sit infront of Galaxy - please ensure this header
+# remains intact to protect your users. Uncomment and leave empty to not set
+# the `X-Frame-Options` header.
+#x_frame_options = SAMEORIGIN
+
# nginx can also handle file uploads (user-to-Galaxy) via nginx_upload_module.
# Configuration for this is complex and explained in detail in the
# documentation linked above. The upload store is a temporary directory in
diff -r 39ebfe2e1f1806137bb3f117845f788daaf185aa -r c7d09076b630f1ea42fc62e3e4c2dae5332b6892 lib/galaxy/config.py
--- a/lib/galaxy/config.py
+++ b/lib/galaxy/config.py
@@ -96,6 +96,7 @@
# been migrated from the Galaxy code distribution to the Tool Shed.
self.check_migrate_tools = string_as_bool( kwargs.get( 'check_migrate_tools', True ) )
self.shed_tool_data_path = kwargs.get( "shed_tool_data_path", None )
+ self.x_frame_options = kwargs.get( "x_frame_options", "SAMEORIGIN" )
if self.shed_tool_data_path:
self.shed_tool_data_path = resolve_path( self.shed_tool_data_path, self.root )
else:
diff -r 39ebfe2e1f1806137bb3f117845f788daaf185aa -r c7d09076b630f1ea42fc62e3e4c2dae5332b6892 lib/galaxy/web/framework/webapp.py
--- a/lib/galaxy/web/framework/webapp.py
+++ b/lib/galaxy/web/framework/webapp.py
@@ -175,7 +175,11 @@
base.DefaultWebTransaction.__init__( self, environ )
self.setup_i18n()
self.expunge_all()
- self.debug = asbool( self.app.config.get( 'debug', False ) )
+ config = self.app.config
+ self.debug = asbool( config.get( 'debug', False ) )
+ x_frame_options = getattr( config, 'x_frame_options', None )
+ if x_frame_options:
+ self.response.headers['X-Frame-Options'] = x_frame_options
# Flag indicating whether we are in workflow building mode (means
# that the current history should not be used for parameter values
# and such).
@@ -202,9 +206,9 @@
# When we've authenticated by session, we have to check the
# following.
# Prevent deleted users from accessing Galaxy
- if self.app.config.use_remote_user and self.galaxy_session.user.deleted:
+ if config.use_remote_user and self.galaxy_session.user.deleted:
self.response.send_redirect( url_for( '/static/user_disabled.html' ) )
- if self.app.config.require_login:
+ if config.require_login:
self._ensure_logged_in_user( environ, session_cookie )
def setup_i18n( self ):
@@ -261,6 +265,9 @@
tstamp = time.localtime( time.time() + 3600 * 24 * age )
self.response.cookies[name]['expires'] = time.strftime( '%a, %d-%b-%Y %H:%M:%S GMT', tstamp )
self.response.cookies[name]['version'] = version
+ https = self.request.environ[ "wsgi.url_scheme" ] == "https"
+ if https:
+ self.response.cookies[name]['secure'] = True
try:
self.response.cookies[name]['httponly'] = True
except CookieError, e:
Repository URL: https://bitbucket.org/galaxy/galaxy-central/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
3 new commits in galaxy-central:
https://bitbucket.org/galaxy/galaxy-central/commits/bca09a437845/
Changeset: bca09a437845
Branch: next-stable
User: jmchilton
Date: 2014-11-25 14:59:40+00:00
Summary: Enable defense against clickjacking out of the box.
Look in config/galaxy.ini.sample for the option 'x_frame_options' for more information.
Affected #: 3 files
diff -r c1a9ed13d5f71deb671ab83ed262c0a861c469d2 -r bca09a437845ad229b141a33174894e90f36d916 config/galaxy.ini.sample
--- a/config/galaxy.ini.sample
+++ b/config/galaxy.ini.sample
@@ -523,6 +523,15 @@
# it faster on the fly.
#upstream_gzip = False
+# The following default adds a header to web request responses that will cause
+# modern web browsers to not allow Galaxy to be embedded in the frames of web
+# applications hosted at other hosts - this can help prevent a class of attack
+# called clickjacking (https://www.owasp.org/index.php/Clickjacking). If you
+# configuring a proxy to sit infront of Galaxy - please ensure this header
+# remains intact to protect your users. Uncomment and leave empty to not set
+# the `X-Frame-Options` header.
+#x_frame_options = SAMEORIGIN
+
# nginx can also handle file uploads (user-to-Galaxy) via nginx_upload_module.
# Configuration for this is complex and explained in detail in the
# documentation linked above. The upload store is a temporary directory in
diff -r c1a9ed13d5f71deb671ab83ed262c0a861c469d2 -r bca09a437845ad229b141a33174894e90f36d916 lib/galaxy/config.py
--- a/lib/galaxy/config.py
+++ b/lib/galaxy/config.py
@@ -96,6 +96,7 @@
# been migrated from the Galaxy code distribution to the Tool Shed.
self.check_migrate_tools = string_as_bool( kwargs.get( 'check_migrate_tools', True ) )
self.shed_tool_data_path = kwargs.get( "shed_tool_data_path", None )
+ self.x_frame_options = kwargs.get( "x_frame_options", "SAMEORIGIN" )
if self.shed_tool_data_path:
self.shed_tool_data_path = resolve_path( self.shed_tool_data_path, self.root )
else:
diff -r c1a9ed13d5f71deb671ab83ed262c0a861c469d2 -r bca09a437845ad229b141a33174894e90f36d916 lib/galaxy/web/framework/webapp.py
--- a/lib/galaxy/web/framework/webapp.py
+++ b/lib/galaxy/web/framework/webapp.py
@@ -175,7 +175,11 @@
base.DefaultWebTransaction.__init__( self, environ )
self.setup_i18n()
self.expunge_all()
- self.debug = asbool( self.app.config.get( 'debug', False ) )
+ config = self.app.config
+ self.debug = asbool( config.get( 'debug', False ) )
+ x_frame_options = getattr( config, 'x_frame_options', None )
+ if x_frame_options:
+ self.response.headers['X-Frame-Options'] = x_frame_options
# Flag indicating whether we are in workflow building mode (means
# that the current history should not be used for parameter values
# and such).
@@ -202,9 +206,9 @@
# When we've authenticated by session, we have to check the
# following.
# Prevent deleted users from accessing Galaxy
- if self.app.config.use_remote_user and self.galaxy_session.user.deleted:
+ if config.use_remote_user and self.galaxy_session.user.deleted:
self.response.send_redirect( url_for( '/static/user_disabled.html' ) )
- if self.app.config.require_login:
+ if config.require_login:
self._ensure_logged_in_user( environ, session_cookie )
def setup_i18n( self ):
https://bitbucket.org/galaxy/galaxy-central/commits/696b29477881/
Changeset: 696b29477881
Branch: next-stable
User: jmchilton
Date: 2014-11-25 14:59:40+00:00
Summary: Issue session cookies using 'secure' flag for HTTPS requests.
For more information see https://www.owasp.org/index.php/SecureFlag.
Affected #: 1 file
diff -r bca09a437845ad229b141a33174894e90f36d916 -r 696b294778817e68975140bde91894dce5f82299 lib/galaxy/web/framework/webapp.py
--- a/lib/galaxy/web/framework/webapp.py
+++ b/lib/galaxy/web/framework/webapp.py
@@ -265,6 +265,9 @@
tstamp = time.localtime( time.time() + 3600 * 24 * age )
self.response.cookies[name]['expires'] = time.strftime( '%a, %d-%b-%Y %H:%M:%S GMT', tstamp )
self.response.cookies[name]['version'] = version
+ https = self.request.environ[ "wsgi.url_scheme" ] == "https"
+ if https:
+ self.response.cookies[name]['secure'] = True
try:
self.response.cookies[name]['httponly'] = True
except CookieError, e:
https://bitbucket.org/galaxy/galaxy-central/commits/c7d09076b630/
Changeset: c7d09076b630
Branch: next-stable
User: dannon
Date: 2014-11-25 17:27:41+00:00
Summary: Merged in jmchilton/galaxy-central-fork-1/next-stable (pull request #573)
Enhanced client security.
Affected #: 3 files
diff -r 39ebfe2e1f1806137bb3f117845f788daaf185aa -r c7d09076b630f1ea42fc62e3e4c2dae5332b6892 config/galaxy.ini.sample
--- a/config/galaxy.ini.sample
+++ b/config/galaxy.ini.sample
@@ -523,6 +523,15 @@
# it faster on the fly.
#upstream_gzip = False
+# The following default adds a header to web request responses that will cause
+# modern web browsers to not allow Galaxy to be embedded in the frames of web
+# applications hosted at other hosts - this can help prevent a class of attack
+# called clickjacking (https://www.owasp.org/index.php/Clickjacking). If you
+# configuring a proxy to sit infront of Galaxy - please ensure this header
+# remains intact to protect your users. Uncomment and leave empty to not set
+# the `X-Frame-Options` header.
+#x_frame_options = SAMEORIGIN
+
# nginx can also handle file uploads (user-to-Galaxy) via nginx_upload_module.
# Configuration for this is complex and explained in detail in the
# documentation linked above. The upload store is a temporary directory in
diff -r 39ebfe2e1f1806137bb3f117845f788daaf185aa -r c7d09076b630f1ea42fc62e3e4c2dae5332b6892 lib/galaxy/config.py
--- a/lib/galaxy/config.py
+++ b/lib/galaxy/config.py
@@ -96,6 +96,7 @@
# been migrated from the Galaxy code distribution to the Tool Shed.
self.check_migrate_tools = string_as_bool( kwargs.get( 'check_migrate_tools', True ) )
self.shed_tool_data_path = kwargs.get( "shed_tool_data_path", None )
+ self.x_frame_options = kwargs.get( "x_frame_options", "SAMEORIGIN" )
if self.shed_tool_data_path:
self.shed_tool_data_path = resolve_path( self.shed_tool_data_path, self.root )
else:
diff -r 39ebfe2e1f1806137bb3f117845f788daaf185aa -r c7d09076b630f1ea42fc62e3e4c2dae5332b6892 lib/galaxy/web/framework/webapp.py
--- a/lib/galaxy/web/framework/webapp.py
+++ b/lib/galaxy/web/framework/webapp.py
@@ -175,7 +175,11 @@
base.DefaultWebTransaction.__init__( self, environ )
self.setup_i18n()
self.expunge_all()
- self.debug = asbool( self.app.config.get( 'debug', False ) )
+ config = self.app.config
+ self.debug = asbool( config.get( 'debug', False ) )
+ x_frame_options = getattr( config, 'x_frame_options', None )
+ if x_frame_options:
+ self.response.headers['X-Frame-Options'] = x_frame_options
# Flag indicating whether we are in workflow building mode (means
# that the current history should not be used for parameter values
# and such).
@@ -202,9 +206,9 @@
# When we've authenticated by session, we have to check the
# following.
# Prevent deleted users from accessing Galaxy
- if self.app.config.use_remote_user and self.galaxy_session.user.deleted:
+ if config.use_remote_user and self.galaxy_session.user.deleted:
self.response.send_redirect( url_for( '/static/user_disabled.html' ) )
- if self.app.config.require_login:
+ if config.require_login:
self._ensure_logged_in_user( environ, session_cookie )
def setup_i18n( self ):
@@ -261,6 +265,9 @@
tstamp = time.localtime( time.time() + 3600 * 24 * age )
self.response.cookies[name]['expires'] = time.strftime( '%a, %d-%b-%Y %H:%M:%S GMT', tstamp )
self.response.cookies[name]['version'] = version
+ https = self.request.environ[ "wsgi.url_scheme" ] == "https"
+ if https:
+ self.response.cookies[name]['secure'] = True
try:
self.response.cookies[name]['httponly'] = True
except CookieError, e:
Repository URL: https://bitbucket.org/galaxy/galaxy-central/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
1 new commit in galaxy-central:
https://bitbucket.org/galaxy/galaxy-central/commits/c50a228167b0/
Changeset: c50a228167b0
Branch: stable
User: natefoo
Date: 2014-11-25 17:00:20+00:00
Summary: Update tag latest_2014.10.06 for changeset adc4aa8b3d9a
Affected #: 1 file
diff -r adc4aa8b3d9ad77ef85f8b0d7e4d90bd29775167 -r c50a228167b0a1a4541f46bb19b8d67c9010248d .hgtags
--- a/.hgtags
+++ b/.hgtags
@@ -20,4 +20,4 @@
ca45b78adb4152fc6e7395514d46eba6b7d0b838 release_2014.08.11
548ab24667d6206780237bd807f7d857a484c461 latest_2014.08.11
2092948937ac30ef82f71463a235c66d34987088 release_2014.10.06
-bb79e87274d7ef4e043a84aeef8516a5418ef3b6 latest_2014.10.06
+adc4aa8b3d9ad77ef85f8b0d7e4d90bd29775167 latest_2014.10.06
Repository URL: https://bitbucket.org/galaxy/galaxy-central/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.