1 new commit in galaxy-central:
https://bitbucket.org/galaxy/galaxy-central/commits/a3db4f686603/
Changeset: a3db4f686603
User: davebgx
Date: 2014-02-27 15:20:45
Summary: Fix python 2.6 support.
Affected #: 1 file
diff -r a6fff5c62ceb6b73ffa67eb5ba8854adc8860eb7 -r a3db4f68660384e96212f7ebb0ff1856db40278b lib/tool_shed/util/commit_util.py
--- a/lib/tool_shed/util/commit_util.py
+++ b/lib/tool_shed/util/commit_util.py
@@ -289,8 +289,8 @@
revised = False
toolshed = elem.get( 'toolshed' )
changeset_revision = elem.get( 'changeset_revision' )
- sub_elems = elem.findall( './/' )
- if sub_elems:
+ sub_elems = [ child_elem for child_elem in list( elem ) ]
+ if len( sub_elems ) > 0:
# At this point, a <repository> tag will point only to a package.
# <package name="xorg_macros" version="1.17.1" />
# Coerce the list to an odict().
Repository URL: https://bitbucket.org/galaxy/galaxy-central/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
2 new commits in galaxy-central:
https://bitbucket.org/galaxy/galaxy-central/commits/a6af49ec80a8/
Changeset: a6af49ec80a8
User: BjoernGruening
Date: 2014-02-27 09:40:35
Summary: strip trailing slashes in tool IDs
Affected #: 1 file
diff -r ce7e90f9576ba51317508de0749a277e8d7f58bb -r a6af49ec80a89548af58750c87c67589ef7a0d9a lib/galaxy/jobs/__init__.py
--- a/lib/galaxy/jobs/__init__.py
+++ b/lib/galaxy/jobs/__init__.py
@@ -181,7 +181,7 @@
if tools is not None:
for tool in self.__findall_with_required(tools, 'tool'):
# There can be multiple definitions with identical ids, but different params
- id = tool.get('id').lower()
+ id = tool.get('id').lower().strip('/')
if id not in self.tools:
self.tools[id] = list()
self.tools[id].append(JobToolConfiguration(**dict(tool.items())))
https://bitbucket.org/galaxy/galaxy-central/commits/a6fff5c62ceb/
Changeset: a6fff5c62ceb
User: BjoernGruening
Date: 2014-02-27 11:12:49
Summary: change strip to rstrip as proposed by Nicola
Affected #: 1 file
diff -r a6af49ec80a89548af58750c87c67589ef7a0d9a -r a6fff5c62ceb6b73ffa67eb5ba8854adc8860eb7 lib/galaxy/jobs/__init__.py
--- a/lib/galaxy/jobs/__init__.py
+++ b/lib/galaxy/jobs/__init__.py
@@ -181,7 +181,7 @@
if tools is not None:
for tool in self.__findall_with_required(tools, 'tool'):
# There can be multiple definitions with identical ids, but different params
- id = tool.get('id').lower().strip('/')
+ id = tool.get('id').lower().rstrip('/')
if id not in self.tools:
self.tools[id] = list()
self.tools[id].append(JobToolConfiguration(**dict(tool.items())))
Repository URL: https://bitbucket.org/galaxy/galaxy-central/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
2 new commits in galaxy-central:
https://bitbucket.org/galaxy/galaxy-central/commits/7f7da7248d4d/
Changeset: 7f7da7248d4d
Branch: stable
User: greg
Date: 2014-02-26 21:09:43
Summary: Fixes for handling complex repository dependency definitions in tool dependency recipes.
Affected #: 2 files
diff -r 66aa6798e55303abc40fbb585c75e8c77638cca3 -r 7f7da7248d4de5d9f039639db77721d0b22fa6c5 lib/tool_shed/util/commit_util.py
--- a/lib/tool_shed/util/commit_util.py
+++ b/lib/tool_shed/util/commit_util.py
@@ -274,7 +274,11 @@
return False, None, error_message
def handle_repository_dependency_elem( trans, elem, unpopulate=False ):
+ """Populate or unpopulate repository tags."""
# <repository name="molecule_datatypes" owner="test" changeset_revision="1a070566e9c6" />
+ # <repository changeset_revision="xxx" name="package_xorg_macros_1_17_1" owner="test" toolshed="yyy">
+ # <package name="xorg_macros" version="1.17.1" />
+ # </repository>
error_message = ''
name = elem.get( 'name' )
owner = elem.get( 'owner' )
@@ -285,6 +289,23 @@
revised = False
toolshed = elem.get( 'toolshed' )
changeset_revision = elem.get( 'changeset_revision' )
+ sub_elems = elem.findall( './/' )
+ if sub_elems:
+ # At this point, a <repository> tag will point only to a package.
+ # <package name="xorg_macros" version="1.17.1" />
+ # Coerce the list to an odict().
+ sub_elements = odict()
+ packages = []
+ for sub_elem in sub_elems:
+ sub_elem_type = sub_elem.tag
+ sub_elem_name = sub_elem.get( 'name' )
+ sub_elem_version = sub_elem.get( 'version' )
+ if sub_elem_type and sub_elem_name and sub_elem_version:
+ packages.append( ( sub_elem_name, sub_elem_version ) )
+ sub_elements[ 'packages' ] = packages
+ else:
+ # Set to None.
+ sub_elements = None
if unpopulate:
# We're exporting the repository, so eliminate all toolshed and changeset_revision attributes from the <repository> tag.
if toolshed or changeset_revision:
@@ -292,7 +313,7 @@
attributes[ 'name' ] = name
attributes[ 'owner' ] = owner
attributes[ 'prior_installation_required' ] = elem.get( 'prior_installation_required', 'False' )
- elem = xml_util.create_element( 'repository', attributes=attributes, sub_elements=None )
+ elem = xml_util.create_element( 'repository', attributes=attributes, sub_elements=sub_elements )
revised = True
return revised, elem, error_message
# From here on we're populating the toolshed and changeset_revisions if necessary.
@@ -321,10 +342,12 @@
return revised, elem, error_message
def handle_repository_dependency_sub_elem( trans, package_altered, altered, actions_elem, action_index, action_elem, unpopulate=False ):
- # This method populates the toolshed and changeset_revision attributes for each of the following.
- # <action type="set_environment_for_install">
- # <action type="setup_r_environment">
- # <action type="setup_ruby_environment">
+ """
+ Populate or unpopulate the toolshed and changeset_revision attributes for each of the following tag sets.
+ <action type="set_environment_for_install">
+ <action type="setup_r_environment">
+ <action type="setup_ruby_environment">
+ """
error_message = ''
for repo_index, repo_elem in enumerate( action_elem ):
# Make sure to skip comments and tags that are not <repository>.
@@ -343,7 +366,8 @@
def handle_tool_dependencies_definition( trans, tool_dependencies_config, unpopulate=False ):
"""
- Populate or unpopulate the tooshed and changeset_revision attributes of each <repository> tag defined within a tool_dependencies.xml file.
+ Populate or unpopulate the tooshed and changeset_revision attributes of each <repository>
+ tag defined within a tool_dependencies.xml file.
"""
altered = False
error_message = ''
diff -r 66aa6798e55303abc40fbb585c75e8c77638cca3 -r 7f7da7248d4de5d9f039639db77721d0b22fa6c5 lib/tool_shed/util/xml_util.py
--- a/lib/tool_shed/util/xml_util.py
+++ b/lib/tool_shed/util/xml_util.py
@@ -47,7 +47,7 @@
def create_element( tag, attributes=None, sub_elements=None ):
"""
Create a new element whose tag is the value of the received tag, and whose attributes are all
- key / value pairs in the received the attributes and sub_elements.
+ key / value pairs in the received attributes and sub_elements.
"""
if tag:
elem = XmlET.Element( tag )
@@ -56,14 +56,22 @@
for k, v in attributes.items():
elem.set( k, v )
if sub_elements:
- # The received attributes is an odict as well. These handle information that tends to be
+ # The received attributes is an odict. These handle information that tends to be
# long text including paragraphs (e.g., description and long_description.
for k, v in sub_elements.items():
# Don't include fields that are blank.
if v:
- sub_elem = XmlET.SubElement( elem, k )
- if isinstance( v, list ):
- # If the sub_elem is a list, then it must be a list of tuples where the first
+ if k == 'packages':
+ # The received sub_elements is an odict whose key is 'packages' and whose
+ # value is a list of ( name, version ) tuples.
+ for v_tuple in v:
+ sub_elem = XmlET.SubElement( elem, 'package' )
+ sub_elem_name, sub_elem_version = v_tuple
+ sub_elem.set( 'name', sub_elem_name )
+ sub_elem.set( 'version', sub_elem_version )
+ elif isinstance( v, list ):
+ sub_elem = XmlET.SubElement( elem, k )
+ # If v is a list, then it must be a list of tuples where the first
# item is the tag and the second item is the text value.
for v_tuple in v:
if len( v_tuple ) == 2:
@@ -74,6 +82,7 @@
v_elem = XmlET.SubElement( sub_elem, v_tag )
v_elem.text = v_text
else:
+ sub_elem = XmlET.SubElement( elem, k )
sub_elem.text = v
return elem
return None
https://bitbucket.org/galaxy/galaxy-central/commits/ce7e90f9576b/
Changeset: ce7e90f9576b
User: davebgx
Date: 2014-02-26 21:11:47
Summary: Merge stable.
Affected #: 0 files
Repository URL: https://bitbucket.org/galaxy/galaxy-central/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
1 new commit in galaxy-central:
https://bitbucket.org/galaxy/galaxy-central/commits/11cde97a48eb/
Changeset: 11cde97a48eb
User: greg
Date: 2014-02-26 21:09:43
Summary: Fixes for handling complex repository dependency definitions in tool dependency recipes.
Affected #: 2 files
diff -r 7225183f34d12b1ed3d879a85054ee98a7750729 -r 11cde97a48eb4a7b2934bef3a507d1a2c5ea3379 lib/tool_shed/util/commit_util.py
--- a/lib/tool_shed/util/commit_util.py
+++ b/lib/tool_shed/util/commit_util.py
@@ -274,7 +274,11 @@
return False, None, error_message
def handle_repository_dependency_elem( trans, elem, unpopulate=False ):
+ """Populate or unpopulate repository tags."""
# <repository name="molecule_datatypes" owner="test" changeset_revision="1a070566e9c6" />
+ # <repository changeset_revision="xxx" name="package_xorg_macros_1_17_1" owner="test" toolshed="yyy">
+ # <package name="xorg_macros" version="1.17.1" />
+ # </repository>
error_message = ''
name = elem.get( 'name' )
owner = elem.get( 'owner' )
@@ -285,6 +289,23 @@
revised = False
toolshed = elem.get( 'toolshed' )
changeset_revision = elem.get( 'changeset_revision' )
+ sub_elems = elem.findall( './/' )
+ if sub_elems:
+ # At this point, a <repository> tag will point only to a package.
+ # <package name="xorg_macros" version="1.17.1" />
+ # Coerce the list to an odict().
+ sub_elements = odict()
+ packages = []
+ for sub_elem in sub_elems:
+ sub_elem_type = sub_elem.tag
+ sub_elem_name = sub_elem.get( 'name' )
+ sub_elem_version = sub_elem.get( 'version' )
+ if sub_elem_type and sub_elem_name and sub_elem_version:
+ packages.append( ( sub_elem_name, sub_elem_version ) )
+ sub_elements[ 'packages' ] = packages
+ else:
+ # Set to None.
+ sub_elements = None
if unpopulate:
# We're exporting the repository, so eliminate all toolshed and changeset_revision attributes from the <repository> tag.
if toolshed or changeset_revision:
@@ -292,7 +313,7 @@
attributes[ 'name' ] = name
attributes[ 'owner' ] = owner
attributes[ 'prior_installation_required' ] = elem.get( 'prior_installation_required', 'False' )
- elem = xml_util.create_element( 'repository', attributes=attributes, sub_elements=None )
+ elem = xml_util.create_element( 'repository', attributes=attributes, sub_elements=sub_elements )
revised = True
return revised, elem, error_message
# From here on we're populating the toolshed and changeset_revisions if necessary.
@@ -321,10 +342,12 @@
return revised, elem, error_message
def handle_repository_dependency_sub_elem( trans, package_altered, altered, actions_elem, action_index, action_elem, unpopulate=False ):
- # This method populates the toolshed and changeset_revision attributes for each of the following.
- # <action type="set_environment_for_install">
- # <action type="setup_r_environment">
- # <action type="setup_ruby_environment">
+ """
+ Populate or unpopulate the toolshed and changeset_revision attributes for each of the following tag sets.
+ <action type="set_environment_for_install">
+ <action type="setup_r_environment">
+ <action type="setup_ruby_environment">
+ """
error_message = ''
for repo_index, repo_elem in enumerate( action_elem ):
# Make sure to skip comments and tags that are not <repository>.
@@ -343,7 +366,8 @@
def handle_tool_dependencies_definition( trans, tool_dependencies_config, unpopulate=False ):
"""
- Populate or unpopulate the tooshed and changeset_revision attributes of each <repository> tag defined within a tool_dependencies.xml file.
+ Populate or unpopulate the tooshed and changeset_revision attributes of each <repository>
+ tag defined within a tool_dependencies.xml file.
"""
altered = False
error_message = ''
diff -r 7225183f34d12b1ed3d879a85054ee98a7750729 -r 11cde97a48eb4a7b2934bef3a507d1a2c5ea3379 lib/tool_shed/util/xml_util.py
--- a/lib/tool_shed/util/xml_util.py
+++ b/lib/tool_shed/util/xml_util.py
@@ -47,7 +47,7 @@
def create_element( tag, attributes=None, sub_elements=None ):
"""
Create a new element whose tag is the value of the received tag, and whose attributes are all
- key / value pairs in the received the attributes and sub_elements.
+ key / value pairs in the received attributes and sub_elements.
"""
if tag:
elem = XmlET.Element( tag )
@@ -56,14 +56,22 @@
for k, v in attributes.items():
elem.set( k, v )
if sub_elements:
- # The received attributes is an odict as well. These handle information that tends to be
+ # The received attributes is an odict. These handle information that tends to be
# long text including paragraphs (e.g., description and long_description.
for k, v in sub_elements.items():
# Don't include fields that are blank.
if v:
- sub_elem = XmlET.SubElement( elem, k )
- if isinstance( v, list ):
- # If the sub_elem is a list, then it must be a list of tuples where the first
+ if k == 'packages':
+ # The received sub_elements is an odict whose key is 'packages' and whose
+ # value is a list of ( name, version ) tuples.
+ for v_tuple in v:
+ sub_elem = XmlET.SubElement( elem, 'package' )
+ sub_elem_name, sub_elem_version = v_tuple
+ sub_elem.set( 'name', sub_elem_name )
+ sub_elem.set( 'version', sub_elem_version )
+ elif isinstance( v, list ):
+ sub_elem = XmlET.SubElement( elem, k )
+ # If v is a list, then it must be a list of tuples where the first
# item is the tag and the second item is the text value.
for v_tuple in v:
if len( v_tuple ) == 2:
@@ -74,6 +82,7 @@
v_elem = XmlET.SubElement( sub_elem, v_tag )
v_elem.text = v_text
else:
+ sub_elem = XmlET.SubElement( elem, k )
sub_elem.text = v
return elem
return None
Repository URL: https://bitbucket.org/galaxy/galaxy-central/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
1 new commit in galaxy-central:
https://bitbucket.org/galaxy/galaxy-central/commits/f26afae68417/
Changeset: f26afae68417
User: jmchilton
Date: 2014-02-26 17:32:13
Summary: Merge latest stable.
Affected #: 3 files
diff -r 2295745a2888e74a518bdd6d7189d10031cbbf7d -r f26afae68417905a7f662671a18ca551f39ecf5f lib/galaxy/config.py
--- a/lib/galaxy/config.py
+++ b/lib/galaxy/config.py
@@ -207,6 +207,7 @@
self.log_actions = string_as_bool( kwargs.get( 'log_actions', 'False' ) )
self.log_events = string_as_bool( kwargs.get( 'log_events', 'False' ) )
self.sanitize_all_html = string_as_bool( kwargs.get( 'sanitize_all_html', True ) )
+ self.serve_xss_vulnerable_mimetypes = string_as_bool( kwargs.get( 'serve_xss_vulnerable_mimetypes', False ) )
self.enable_old_display_applications = string_as_bool( kwargs.get( "enable_old_display_applications", "True" ) )
self.ucsc_display_sites = kwargs.get( 'ucsc_display_sites', "main,test,archaea,ucla" ).lower().split(",")
self.gbrowse_display_sites = kwargs.get( 'gbrowse_display_sites', "modencode,sgd_yeast,tair,wormbase,wormbase_ws120,wormbase_ws140,wormbase_ws170,wormbase_ws180,wormbase_ws190,wormbase_ws200,wormbase_ws204,wormbase_ws210,wormbase_ws220,wormbase_ws225" ).lower().split(",")
diff -r 2295745a2888e74a518bdd6d7189d10031cbbf7d -r f26afae68417905a7f662671a18ca551f39ecf5f lib/galaxy/datatypes/data.py
--- a/lib/galaxy/datatypes/data.py
+++ b/lib/galaxy/datatypes/data.py
@@ -21,6 +21,12 @@
eggs.require( "Paste" )
import paste
+XSS_VULNERABLE_MIME_TYPES = [
+ 'image/svg+xml', # Unfiltered by Galaxy and may contain JS that would be executed by some browsers.
+ 'application/xml', # Some browsers will evalute SVG embedded JS in such XML documents.
+]
+DEFAULT_MIME_TYPE = 'text/plain' # Vulnerable mime types will be replaced with this.
+
log = logging.getLogger(__name__)
comptypes=[] # Is this being used anywhere, why was this here? -JohnC
@@ -334,11 +340,12 @@
mime = trans.app.datatypes_registry.get_mimetype_by_extension( ".".split( file_path )[-1] )
except:
mime = "text/plain"
- trans.response.set_content_type( mime )
+ self._clean_and_set_mime_type( trans, mime )
return open( file_path )
else:
return trans.show_error_message( "Could not find '%s' on the extra files path %s." % ( filename, file_path ) )
- trans.response.set_content_type(data.get_mime())
+ self._clean_and_set_mime_type( trans, data.get_mime() )
+
trans.log_event( "Display dataset id: %s" % str( data.id ) )
from galaxy import datatypes #DBTODO REMOVE THIS AT REFACTOR
if to_ext or isinstance(data.datatype, datatypes.binary.Binary): # Saving the file, or binary file
@@ -624,6 +631,12 @@
dataset_source = dataproviders.dataset.DatasetDataProvider( dataset )
return dataproviders.chunk.Base64ChunkDataProvider( dataset_source, **settings )
+ def _clean_and_set_mime_type(self, trans, mime):
+ if mime.lower() in XSS_VULNERABLE_MIME_TYPES:
+ if not getattr( trans.app.config, "serve_xss_vulnerable_mimetypes", True ):
+ mime = DEFAULT_MIME_TYPE
+ trans.response.set_content_type( mime )
+
@dataproviders.decorators.has_dataproviders
class Text( Data ):
diff -r 2295745a2888e74a518bdd6d7189d10031cbbf7d -r f26afae68417905a7f662671a18ca551f39ecf5f universe_wsgi.ini.sample
--- a/universe_wsgi.ini.sample
+++ b/universe_wsgi.ini.sample
@@ -507,6 +507,12 @@
# unaltered output.
#sanitize_all_html = True
+# By default Galaxy will serve non-HTML tool output that may potentially
+# contain browser executable JavaScript content as plain text. This will for
+# instance cause SVG datasets to not render properly and so may be disabled
+# by setting the following option to True.
+#serve_xss_vulnerable_mimetypes = False
+
# Debug enables access to various config options useful for development and
# debugging: use_lint, use_profile, use_printdebug and use_interactive. It
# also causes the files used by PBS/SGE (submission script, output, and error)
Repository URL: https://bitbucket.org/galaxy/galaxy-central/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
2 new commits in galaxy-central:
https://bitbucket.org/galaxy/galaxy-central/commits/3a3c1a860c30/
Changeset: 3a3c1a860c30
Branch: stable
User: jmchilton
Date: 2014-02-21 16:54:53
Summary: Do not serve non-HTML content that may contain JavaScript in such a way that web browsers execute it.
This option will prevent Galaxy from correctly rendering SVG files generated from tools or uploaded by users and so can be disabled with by setting the new option serve_xss_vulnerable_mimetypes in universe_wsgi.ini to True.
Thanks to Tobias Sargeant for pointing out this problem.
Affected #: 3 files
diff -r f58179ab488879a1a54821e98b4c65c048fa2fd6 -r 3a3c1a860c306df8d8176b0d2d455a5ed663f597 lib/galaxy/config.py
--- a/lib/galaxy/config.py
+++ b/lib/galaxy/config.py
@@ -207,6 +207,7 @@
self.log_actions = string_as_bool( kwargs.get( 'log_actions', 'False' ) )
self.log_events = string_as_bool( kwargs.get( 'log_events', 'False' ) )
self.sanitize_all_html = string_as_bool( kwargs.get( 'sanitize_all_html', True ) )
+ self.serve_xss_vulnerable_mimetypes = string_as_bool( kwargs.get( 'serve_xss_vulnerable_mimetypes', False ) )
self.enable_old_display_applications = string_as_bool( kwargs.get( "enable_old_display_applications", "True" ) )
self.ucsc_display_sites = kwargs.get( 'ucsc_display_sites', "main,test,archaea,ucla" ).lower().split(",")
self.gbrowse_display_sites = kwargs.get( 'gbrowse_display_sites', "modencode,sgd_yeast,tair,wormbase,wormbase_ws120,wormbase_ws140,wormbase_ws170,wormbase_ws180,wormbase_ws190,wormbase_ws200,wormbase_ws204,wormbase_ws210,wormbase_ws220,wormbase_ws225" ).lower().split(",")
diff -r f58179ab488879a1a54821e98b4c65c048fa2fd6 -r 3a3c1a860c306df8d8176b0d2d455a5ed663f597 lib/galaxy/datatypes/data.py
--- a/lib/galaxy/datatypes/data.py
+++ b/lib/galaxy/datatypes/data.py
@@ -21,6 +21,12 @@
eggs.require( "Paste" )
import paste
+XSS_VULNERABLE_MIME_TYPES = [
+ 'image/svg+xml', # Unfiltered by Galaxy and may contain JS that would be executed by some browsers.
+ 'application/xml', # Some browsers will evalute SVG embedded JS in such XML documents.
+]
+DEFAULT_MIME_TYPE = 'text/plain' # Vulnerable mime types will be replaced with this.
+
log = logging.getLogger(__name__)
comptypes=[] # Is this being used anywhere, why was this here? -JohnC
@@ -334,11 +340,12 @@
mime = trans.app.datatypes_registry.get_mimetype_by_extension( ".".split( file_path )[-1] )
except:
mime = "text/plain"
- trans.response.set_content_type( mime )
+ self._clean_and_set_mime_type( trans, mime )
return open( file_path )
else:
return trans.show_error_message( "Could not find '%s' on the extra files path %s." % ( filename, file_path ) )
- trans.response.set_content_type(data.get_mime())
+ self._clean_and_set_mime_type( trans, data.get_mime() )
+
trans.log_event( "Display dataset id: %s" % str( data.id ) )
from galaxy import datatypes #DBTODO REMOVE THIS AT REFACTOR
if to_ext or isinstance(data.datatype, datatypes.binary.Binary): # Saving the file, or binary file
@@ -624,6 +631,12 @@
dataset_source = dataproviders.dataset.DatasetDataProvider( dataset )
return dataproviders.chunk.Base64ChunkDataProvider( dataset_source, **settings )
+ def _clean_and_set_mime_type(self, trans, mime):
+ if mime.lower() in XSS_VULNERABLE_MIME_TYPES:
+ if not getattr( trans.app.config, "serve_xss_vulnerable_mimetypes", True ):
+ mime = DEFAULT_MIME_TYPE
+ trans.response.set_content_type( mime )
+
@dataproviders.decorators.has_dataproviders
class Text( Data ):
diff -r f58179ab488879a1a54821e98b4c65c048fa2fd6 -r 3a3c1a860c306df8d8176b0d2d455a5ed663f597 universe_wsgi.ini.sample
--- a/universe_wsgi.ini.sample
+++ b/universe_wsgi.ini.sample
@@ -497,6 +497,12 @@
# unaltered output.
#sanitize_all_html = True
+# By default Galaxy will serve non-HTML tool output that may potentially
+# contain browser executable JavaScript content as plain text. This will for
+# instance cause SVG datasets to not render properly and so may be disabled
+# by setting the following option to True.
+#serve_xss_vulnerable_mimetypes = False
+
# Debug enables access to various config options useful for development and
# debugging: use_lint, use_profile, use_printdebug and use_interactive. It
# also causes the files used by PBS/SGE (submission script, output, and error)
https://bitbucket.org/galaxy/galaxy-central/commits/9c915a92142d/
Changeset: 9c915a92142d
Branch: stable
User: jmchilton
Date: 2014-02-26 17:30:09
Summary: Merged in jmchilton/galaxy-central-fork-1/stable (pull request #333)
Disable rendering of user uploaded/tool generated SVG files.
Affected #: 3 files
diff -r 520c006a361987cf89f77c0e31e259a4a894ef60 -r 9c915a92142d3b796b0df82b8d097e5a5aae678f lib/galaxy/config.py
--- a/lib/galaxy/config.py
+++ b/lib/galaxy/config.py
@@ -207,6 +207,7 @@
self.log_actions = string_as_bool( kwargs.get( 'log_actions', 'False' ) )
self.log_events = string_as_bool( kwargs.get( 'log_events', 'False' ) )
self.sanitize_all_html = string_as_bool( kwargs.get( 'sanitize_all_html', True ) )
+ self.serve_xss_vulnerable_mimetypes = string_as_bool( kwargs.get( 'serve_xss_vulnerable_mimetypes', False ) )
self.enable_old_display_applications = string_as_bool( kwargs.get( "enable_old_display_applications", "True" ) )
self.ucsc_display_sites = kwargs.get( 'ucsc_display_sites', "main,test,archaea,ucla" ).lower().split(",")
self.gbrowse_display_sites = kwargs.get( 'gbrowse_display_sites', "modencode,sgd_yeast,tair,wormbase,wormbase_ws120,wormbase_ws140,wormbase_ws170,wormbase_ws180,wormbase_ws190,wormbase_ws200,wormbase_ws204,wormbase_ws210,wormbase_ws220,wormbase_ws225" ).lower().split(",")
diff -r 520c006a361987cf89f77c0e31e259a4a894ef60 -r 9c915a92142d3b796b0df82b8d097e5a5aae678f lib/galaxy/datatypes/data.py
--- a/lib/galaxy/datatypes/data.py
+++ b/lib/galaxy/datatypes/data.py
@@ -21,6 +21,12 @@
eggs.require( "Paste" )
import paste
+XSS_VULNERABLE_MIME_TYPES = [
+ 'image/svg+xml', # Unfiltered by Galaxy and may contain JS that would be executed by some browsers.
+ 'application/xml', # Some browsers will evalute SVG embedded JS in such XML documents.
+]
+DEFAULT_MIME_TYPE = 'text/plain' # Vulnerable mime types will be replaced with this.
+
log = logging.getLogger(__name__)
comptypes=[] # Is this being used anywhere, why was this here? -JohnC
@@ -334,11 +340,12 @@
mime = trans.app.datatypes_registry.get_mimetype_by_extension( ".".split( file_path )[-1] )
except:
mime = "text/plain"
- trans.response.set_content_type( mime )
+ self._clean_and_set_mime_type( trans, mime )
return open( file_path )
else:
return trans.show_error_message( "Could not find '%s' on the extra files path %s." % ( filename, file_path ) )
- trans.response.set_content_type(data.get_mime())
+ self._clean_and_set_mime_type( trans, data.get_mime() )
+
trans.log_event( "Display dataset id: %s" % str( data.id ) )
from galaxy import datatypes #DBTODO REMOVE THIS AT REFACTOR
if to_ext or isinstance(data.datatype, datatypes.binary.Binary): # Saving the file, or binary file
@@ -624,6 +631,12 @@
dataset_source = dataproviders.dataset.DatasetDataProvider( dataset )
return dataproviders.chunk.Base64ChunkDataProvider( dataset_source, **settings )
+ def _clean_and_set_mime_type(self, trans, mime):
+ if mime.lower() in XSS_VULNERABLE_MIME_TYPES:
+ if not getattr( trans.app.config, "serve_xss_vulnerable_mimetypes", True ):
+ mime = DEFAULT_MIME_TYPE
+ trans.response.set_content_type( mime )
+
@dataproviders.decorators.has_dataproviders
class Text( Data ):
diff -r 520c006a361987cf89f77c0e31e259a4a894ef60 -r 9c915a92142d3b796b0df82b8d097e5a5aae678f universe_wsgi.ini.sample
--- a/universe_wsgi.ini.sample
+++ b/universe_wsgi.ini.sample
@@ -497,6 +497,12 @@
# unaltered output.
#sanitize_all_html = True
+# By default Galaxy will serve non-HTML tool output that may potentially
+# contain browser executable JavaScript content as plain text. This will for
+# instance cause SVG datasets to not render properly and so may be disabled
+# by setting the following option to True.
+#serve_xss_vulnerable_mimetypes = False
+
# Debug enables access to various config options useful for development and
# debugging: use_lint, use_profile, use_printdebug and use_interactive. It
# also causes the files used by PBS/SGE (submission script, output, and error)
Repository URL: https://bitbucket.org/galaxy/galaxy-central/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.
2 new commits in galaxy-central:
https://bitbucket.org/galaxy/galaxy-central/commits/61ea14f9a8b6/
Changeset: 61ea14f9a8b6
User: davebgx
Date: 2014-02-26 16:19:48
Summary: Fix missing parenthesis.
Affected #: 1 file
diff -r 070086f7eb7f71ec4324eb9892a56a6028eb3628 -r 61ea14f9a8b62bc891c638329e91b4aee347db0d lib/tool_shed/galaxy_install/tool_dependencies/install_util.py
--- a/lib/tool_shed/galaxy_install/tool_dependencies/install_util.py
+++ b/lib/tool_shed/galaxy_install/tool_dependencies/install_util.py
@@ -350,7 +350,7 @@
tool_dependency_type='package' )
if not can_install_tool_dependency:
log.debug( "Tool dependency %s version %s cannot be installed (it was probably previously installed), so returning it." % \
- ( str( tool_dependency.name, str( tool_dependency.version ) ) ) )
+ ( str( tool_dependency.name ), str( tool_dependency.version ) ) )
return tool_dependency
else:
can_install_tool_dependency = True
https://bitbucket.org/galaxy/galaxy-central/commits/a24050956e78/
Changeset: a24050956e78
User: davebgx
Date: 2014-02-26 16:20:44
Summary: Use log instead of print for tool dependency installation processes' stdout and stderr, since twill redirects those streams to a StringIO object.
Affected #: 1 file
diff -r 61ea14f9a8b62bc891c638329e91b4aee347db0d -r a24050956e787690b7a37564a932fdfb194cdb6a lib/tool_shed/galaxy_install/tool_dependencies/fabric_util.py
--- a/lib/tool_shed/galaxy_install/tool_dependencies/fabric_util.py
+++ b/lib/tool_shed/galaxy_install/tool_dependencies/fabric_util.py
@@ -162,14 +162,16 @@
is printed and saved to that thread's queue. The calling thread can then retrieve the data using
thread.stdout and thread.stderr.
"""
+ stdout_logger = logging.getLogger( 'fabric_util.STDOUT' )
+ stderr_logger = logging.getLogger( 'fabric_util.STDERR' )
for line in iter( stdout.readline, '' ):
output = line.rstrip()
- print output
+ stdout_logger.debug( output )
stdout_queue.put( output )
stdout_queue.put( None )
for line in iter( stderr.readline, '' ):
output = line.rstrip()
- print output
+ stderr_logger.debug( output )
stderr_queue.put( output )
stderr_queue.put( None )
Repository URL: https://bitbucket.org/galaxy/galaxy-central/
--
This is a commit notification from bitbucket.org. You are receiving
this because you have the service enabled, addressing the recipient of
this email.