1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/c1d4e82df5cb/ Changeset: c1d4e82df5cb Branch: next-stable User: dan Date: 2014-12-04 21:14:28+00:00 Summary: Some web sanitization for Data Managers and Biostar redirect. Affected #: 4 files diff -r b51526d2f9b42a0bc64b55584e435ceebe7ceb31 -r c1d4e82df5cbf8a6d551221a0d4013d658ad4748 lib/galaxy/webapps/galaxy/controllers/data_manager.py --- a/lib/galaxy/webapps/galaxy/controllers/data_manager.py +++ b/lib/galaxy/webapps/galaxy/controllers/data_manager.py @@ -7,6 +7,8 @@ pkg_resources.require( "Paste" ) import paste.httpexceptions +from galaxy.web.framework.helpers import escape + #set up logger import logging log = logging.getLogger( __name__ ) @@ -18,8 +20,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) return trans.fill_template( "data_manager/index.mako", data_managers=trans.app.data_managers, tool_data_tables=trans.app.tool_data_tables, view_only=not_is_admin, message=message, status=status ) @web.expose @@ -27,8 +29,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) data_manager_id = kwd.get( 'id', None ) data_manager = trans.app.data_managers.get_manager( data_manager_id ) if data_manager is None: @@ -41,8 +43,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) job_id = kwd.get( 'id', None ) try: job_id = trans.security.decode_id( job_id ) @@ -62,7 +64,7 @@ data_manager_json = loads( open( hda.get_file_name() ).read() ) except Exception, e: data_manager_json = {} - error_messages.append( "Unable to obtain data_table info for hda (%s): %s" % ( hda.id, e ) ) + error_messages.append( escape( "Unable to obtain data_table info for hda (%s): %s" % ( hda.id, e ) ) ) values = [] for key, value in data_manager_json.get( 'data_tables', {} ).iteritems(): values.append( ( key, value ) ) @@ -74,8 +76,8 @@ not_is_admin = not trans.user_is_admin() if not_is_admin and not trans.app.config.enable_data_manager_user_view: raise paste.httpexceptions.HTTPUnauthorized( "This Galaxy instance is not configured to allow non-admins to view the data manager." ) - message = kwd.get( 'message' ) - status = kwd.get( 'status', 'info' ) + message = escape( kwd.get( 'message', '' ) ) + status = escape( kwd.get( 'status', 'info' ) ) data_table_name = kwd.get( 'table_name', None ) if not data_table_name: return trans.response.send_redirect( web.url_for( controller="data_manager", action="index" ) ) diff -r b51526d2f9b42a0bc64b55584e435ceebe7ceb31 -r c1d4e82df5cbf8a6d551221a0d4013d658ad4748 templates/webapps/galaxy/biostar/post_redirect.mako --- a/templates/webapps/galaxy/biostar/post_redirect.mako +++ b/templates/webapps/galaxy/biostar/post_redirect.mako @@ -18,7 +18,7 @@ <p>If you are not automatically forwarded, click the button below:<p><form id="postRedirectForm" action="${post_url}" method="post" > %for input_name, input_value in form_inputs.items(): - <input type="hidden" name="${input_name}" value="${input_value | h}"> + <input type="hidden" name="${input_name | h}" value="${input_value | h}"> %endfor <input type="submit" name="GalaxySubmitPostRedirectForm" id='GalaxySubmitPostRedirectForm' value="Click Here"></form> diff -r b51526d2f9b42a0bc64b55584e435ceebe7ceb31 -r c1d4e82df5cbf8a6d551221a0d4013d658ad4748 templates/webapps/galaxy/data_manager/manage_data_table.mako --- a/templates/webapps/galaxy/data_manager/manage_data_table.mako +++ b/templates/webapps/galaxy/data_manager/manage_data_table.mako @@ -14,9 +14,9 @@ <% column_name_list = data_table.get_column_name_list() %><table class="tabletip"><thead> - <tr><th colspan="${len (column_name_list) }" style="font-size: 120%;"> + <tr><th colspan="${ len( column_name_list ) | h}" style="font-size: 120%;"> Data Manager: ${ data_table.name | h } - <a class="icon-btn" href="${ h.url_for( controller="data_manager", action="reload_tool_data_tables", table_name=data_table.name ) }" title="Reload ${data_table.name} tool data table" data-placement="bottom"> + <a class="icon-btn" href="${ h.url_for( controller="data_manager", action="reload_tool_data_tables", table_name=data_table.name ) }" title="Reload ${data_table.name | h} tool data table" data-placement="bottom"><span class="fa fa-refresh"></span></a></th></tr> diff -r b51526d2f9b42a0bc64b55584e435ceebe7ceb31 -r c1d4e82df5cbf8a6d551221a0d4013d658ad4748 templates/webapps/galaxy/data_manager/view_job.mako --- a/templates/webapps/galaxy/data_manager/view_job.mako +++ b/templates/webapps/galaxy/data_manager/view_job.mako @@ -26,8 +26,8 @@ </thead><tbody><tr><td>Name:</td><td>${hda.name | h}</td></tr> - <tr><td>Created:</td><td>${hda.create_time.strftime(trans.app.config.pretty_datetime_format)}</td></tr> - <tr><td>Filesize:</td><td>${nice_size(hda.dataset.file_size)}</td></tr> + <tr><td>Created:</td><td>${hda.create_time.strftime(trans.app.config.pretty_datetime_format) | h}</td></tr> + <tr><td>Filesize:</td><td>${nice_size(hda.dataset.file_size) | h}</td></tr><tr><td>Tool Exit Code:</td><td>${job.exit_code | h}</td></tr><tr><td>Full Path:</td><td>${hda.file_name | h}</td></tr><tr><td>View complete info:</td><td><a href="${h.url_for( controller='dataset', action='show_params', dataset_id=trans.security.encode_id( hda.id ))}">${ hda.id | h }</a></td></tr> @@ -47,7 +47,7 @@ %for j, table_row in enumerate( json_table ): <tbody> %if len_json_table > 1: - <tr><td><strong>Entry #${j}</strong></td><td></td></tr> + <tr><td><strong>Entry #${j | h}</strong></td><td></td></tr> %endif %for name, value in table_row.iteritems(): <tr><td>${name | h}:</td><td>${value | h}</td></tr> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.