1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/3e7adbbe91a0/ Changeset: 3e7adbbe91a0 Branch: stable User: jmchilton Date: 2014-12-09 14:31:53+00:00 Summary: Merged in dannon/galaxy-central/stable (pull request #596) [STABLE] Grafts of next-stable commits for security release. Affected #: 12 files diff -r 3e3ac0894aba44bba95bce6dd6833e639e01f890 -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 lib/galaxy/web/framework/helpers/__init__.py --- a/lib/galaxy/web/framework/helpers/__init__.py +++ b/lib/galaxy/web/framework/helpers/__init__.py @@ -3,13 +3,13 @@ """ import time -from cgi import escape from datetime import datetime, timedelta from galaxy import eggs from galaxy.util import hash_util from galaxy.util.json import dumps eggs.require( "MarkupSafe" ) #required by WebHelpers eggs.require( "WebHelpers" ) +from markupsafe import escape from webhelpers import date from webhelpers.html.tags import stylesheet_link, javascript_link diff -r 3e3ac0894aba44bba95bce6dd6833e639e01f890 -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 lib/galaxy/webapps/galaxy/controllers/dataset.py --- a/lib/galaxy/webapps/galaxy/controllers/dataset.py +++ b/lib/galaxy/webapps/galaxy/controllers/dataset.py @@ -11,8 +11,7 @@ from galaxy.util.sanitize_html import sanitize_html from galaxy.util.json import loads from galaxy.web.base.controller import BaseUIController, ERROR, SUCCESS, url_for, UsesHistoryDatasetAssociationMixin, UsesHistoryMixin, UsesExtendedMetadataMixin -from galaxy.web.framework.helpers import grids, iff, time_ago -from galaxy.web.framework.helpers import to_unicode +from galaxy.web.framework.helpers import grids, iff, time_ago, to_unicode, escape from galaxy.tools.errors import EmailErrorReporter eggs.require( "Paste" ) @@ -510,7 +509,7 @@ # Set referer message. referer = trans.request.referer if referer is not "": - referer_message = "<a href='%s'>return to the previous page</a>" % referer + referer_message = "<a href='%s'>return to the previous page</a>" % escape(referer) else: referer_message = "<a href='%s'>go to Galaxy's start page</a>" % url_for( '/' ) # Error checking. @@ -939,9 +938,12 @@ """ Show the parameters used for an HDA """ - hda = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( trans.security.decode_id( dataset_id ) ) + try: + hda = trans.sa_session.query( trans.app.model.HistoryDatasetAssociation ).get( trans.security.decode_id( dataset_id ) ) + except ValueError: + hda = None if not hda: - raise paste.httpexceptions.HTTPRequestRangeNotSatisfiable( "Invalid reference dataset id: %s." % str( dataset_id ) ) + raise paste.httpexceptions.HTTPRequestRangeNotSatisfiable( "Invalid reference dataset id: %s." % escape( str( dataset_id ) ) ) if not self._can_access_dataset( trans, hda ): return trans.show_error_message( "You are not allowed to access this dataset" ) @@ -973,7 +975,10 @@ params_objects = job.get_param_values( trans.app, ignore_errors=False ) except: params_objects = job.get_param_values( trans.app, ignore_errors=True ) - upgrade_messages = tool.check_and_update_param_values( job.get_param_values( trans.app, ignore_errors=True ), trans, update_values=False ) #use different param_objects here, since we want to display original values as much as possible + # use different param_objects in the following line, since we want to display original values as much as possible + upgrade_messages = tool.check_and_update_param_values( job.get_param_values( trans.app, ignore_errors=True ), + trans, + update_values=False ) has_parameter_errors = True except: pass diff -r 3e3ac0894aba44bba95bce6dd6833e639e01f890 -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 lib/galaxy/webapps/galaxy/controllers/history.py --- a/lib/galaxy/webapps/galaxy/controllers/history.py +++ b/lib/galaxy/webapps/galaxy/controllers/history.py @@ -17,7 +17,7 @@ from galaxy.web.base.controller import ExportsHistoryMixin from galaxy.web.base.controller import ImportsHistoryMixin from galaxy.web.base.controller import ERROR, INFO, SUCCESS, WARNING -from galaxy.web.framework.helpers import grids, iff, time_ago +from galaxy.web.framework.helpers import grids, iff, time_ago, escape log = logging.getLogger( __name__ ) @@ -1234,7 +1234,7 @@ else: referer = trans.request.referer if referer is not "": - referer_message = "<a href='%s'>return to the previous page</a>" % referer + referer_message = "<a href='%s'>return to the previous page</a>" % escape(referer) else: referer_message = "<a href='%s'>go to Galaxy's start page</a>" % url_for( '/' ) diff -r 3e3ac0894aba44bba95bce6dd6833e639e01f890 -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 lib/galaxy/webapps/galaxy/controllers/search.py --- a/lib/galaxy/webapps/galaxy/controllers/search.py +++ b/lib/galaxy/webapps/galaxy/controllers/search.py @@ -1,4 +1,3 @@ - """ Contains a basic search interface for Galaxy """ @@ -8,7 +7,13 @@ log = logging.getLogger( __name__ ) + class SearchController( BaseUIController ): + @web.expose def index(self, trans): - return trans.fill_template( "search/index.mako") + """ + Not ready for human consumption, yet. Power users can still use the + search API. + """ + return trans.show_message("Sorry, the search interface isn't quite ready for use, yet.") diff -r 3e3ac0894aba44bba95bce6dd6833e639e01f890 -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 lib/galaxy/webapps/galaxy/controllers/tool_runner.py --- a/lib/galaxy/webapps/galaxy/controllers/tool_runner.py +++ b/lib/galaxy/webapps/galaxy/controllers/tool_runner.py @@ -15,8 +15,8 @@ from galaxy.tools.parameters.basic import UnvalidatedValue from galaxy.util.bunch import Bunch from galaxy.util.hash_util import is_hashable -from galaxy.web import error -from galaxy.web import url_for +from galaxy.web import error, url_for +from galaxy.web.framework.helpers import escape from galaxy.web.base.controller import BaseUIController import tool_shed.util.shed_util_common as suc @@ -57,7 +57,7 @@ return trans.response.send_redirect( url_for( controller="root", action="welcome" ) ) # When the tool form is initially loaded, the received kwd will not include a 'refresh' # entry (which only is included when another option is selected in the tool_version_select_field), - # so the default selected option should be the most recent version of the tool. The following + # so the default selected option should be the most recent version of the tool. The following # check will mae sure this occurs. refreshed_on_change = kwd.get( 'refresh', False ) tool_version_select_field, tools, tool = self.__get_tool_components( tool_id, @@ -69,7 +69,7 @@ log.error( "index called with tool id '%s' but no such tool exists", tool_id ) trans.log_event( "Tool id '%s' does not exist" % tool_id ) trans.response.status = 404 - return "Tool '%s' does not exist, kwd=%s " % ( tool_id, kwd ) + return trans.show_error_message("Tool '%s' does not exist." % ( escape(tool_id) )) if tool.require_login and not trans.user: message = "You must be logged in to use this tool." status = "info" @@ -290,7 +290,7 @@ log.error( "data_source_redirect called with tool id '%s' but no such tool exists", tool_id ) trans.log_event( "Tool id '%s' does not exist" % tool_id ) trans.response.status = 404 - return "Tool '%s' does not exist, kwd=%s " % ( tool_id, kwd ) + return trans.show_error_message("Tool '%s' does not exist." % ( escape(tool_id) )) if isinstance( tool, DataSourceTool ): link = url_for( tool.action, **tool.get_static_param_values( trans ) ) diff -r 3e3ac0894aba44bba95bce6dd6833e639e01f890 -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -605,8 +605,8 @@ else: refresh_frames = [ 'masthead' ] trans.handle_user_logout( logout_all=logout_all ) - message = 'You have been logged out.<br>You can log in again, <a target="_top" href="%s">go back to the page you were visiting</a> or <a target="_top" href="%s">go to the home page</a>.' % \ - ( escape( trans.request.referer ), url_for( '/' ) ) + message = 'You have been logged out.<br>To log in again <a target="_top" href="%s">go to the home page</a>.' % \ + ( url_for( '/' ) ) if biostar.biostar_logged_in( trans ): biostar_url = biostar.biostar_logout( trans ) if biostar_url: diff -r 3e3ac0894aba44bba95bce6dd6833e639e01f890 -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 lib/galaxy/webapps/galaxy/controllers/visualization.py --- a/lib/galaxy/webapps/galaxy/controllers/visualization.py +++ b/lib/galaxy/webapps/galaxy/controllers/visualization.py @@ -9,7 +9,7 @@ from galaxy import model, web from galaxy.model.item_attrs import UsesAnnotations, UsesItemRatings from galaxy.web.base.controller import BaseUIController, SharableMixin, UsesVisualizationMixin -from galaxy.web.framework.helpers import time_ago, grids +from galaxy.web.framework.helpers import time_ago, grids, escape from galaxy import util from galaxy.datatypes.interval import Bed from galaxy.util.json import loads @@ -123,7 +123,7 @@ # or_( "metadata like '%%\"dbkey\": [\"?\"]%%'", "metadata like '%%\"dbkey\": \"?\"%%'" ) \ # ) # ) - + class HistoryColumn( grids.GridColumn ): """ Column for filtering by history id. """ @@ -360,7 +360,7 @@ @web.expose @web.require_login( "use Galaxy visualizations", use_panels=True ) def list( self, trans, *args, **kwargs ): - + # Handle operation if 'operation' in kwargs and 'id' in kwargs: session = trans.sa_session @@ -388,7 +388,7 @@ kwargs[ 'embedded' ] = True grid = self._user_list_grid( trans, *args, **kwargs ) return trans.fill_template( "visualization/list.mako", embedded_grid=grid, shared_by_others=shared_by_others ) - + # # -- Functions for operating on visualizations. -- # @@ -459,7 +459,7 @@ # Set referer message. referer = trans.request.referer if referer is not "": - referer_message = "<a href='%s'>return to the previous page</a>" % referer + referer_message = "<a href='%s'>return to the previous page</a>" % escape(referer) else: referer_message = "<a href='%s'>go to Galaxy's start page</a>" % web.url_for( '/' ) diff -r 3e3ac0894aba44bba95bce6dd6833e639e01f890 -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -22,8 +22,7 @@ from galaxy.web import error, url_for from galaxy.web.base.controller import BaseUIController, SharableMixin, UsesStoredWorkflowMixin from galaxy.web.framework.formbuilder import form -from galaxy.web.framework.helpers import grids, time_ago -from galaxy.web.framework.helpers import to_unicode +from galaxy.web.framework.helpers import grids, time_ago, to_unicode, escape from galaxy.workflow.modules import WorkflowModuleInjector from galaxy.workflow.modules import MissingToolException from galaxy.workflow.modules import module_factory, is_tool_module_type @@ -389,7 +388,7 @@ # Set referer message. referer = trans.request.referer if referer is not "": - referer_message = "<a href='%s'>return to the previous page</a>" % referer + referer_message = "<a href='%s'>return to the previous page</a>" % escape(referer) else: referer_message = "<a href='%s'>go to Galaxy's start page</a>" % url_for( '/' ) diff -r 3e3ac0894aba44bba95bce6dd6833e639e01f890 -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 templates/base/base_panels.mako --- a/templates/base/base_panels.mako +++ b/templates/base/base_panels.mako @@ -45,7 +45,7 @@ <script> Raven.config('${app.config.sentry_dsn_public}').install(); %if trans.user: - Raven.setUser( { email: "${trans.user.email}" } ); + Raven.setUser( { email: "${trans.user.email | h}" } ); %endif </script> %endif diff -r 3e3ac0894aba44bba95bce6dd6833e639e01f890 -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 templates/refresh_frames.mako --- a/templates/refresh_frames.mako +++ b/templates/refresh_frames.mako @@ -21,7 +21,7 @@ ## Refresh masthead == user changes (backward compatibility) if ( parent.user_changed ) { %if trans.user: - parent.user_changed( "${trans.user.email}", ${int( app.config.is_admin_user( trans.user ) )} ); + parent.user_changed( "${trans.user.email | h }", ${int( app.config.is_admin_user( trans.user ) )} ); %else: parent.user_changed( null, false ); %endif diff -r 3e3ac0894aba44bba95bce6dd6833e639e01f890 -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 templates/search/index.mako --- a/templates/search/index.mako +++ b/templates/search/index.mako @@ -1,52 +1,112 @@ - <%inherit file="/webapps/galaxy/base_panels.mako"/> -<%namespace file="/search/search.mako" import="search_init" /> -<%namespace file="/search/search.mako" import="search_dialog" /><%def name="init()"> -<% - self.has_left_panel=False - self.has_right_panel=False - self.message_box_visible=False - self.active_view="shared" - self.overlay_visible=False -%> + <% + self.has_left_panel=False + self.has_right_panel=False + self.message_box_visible=False + self.active_view="shared" + self.overlay_visible=False + %></%def><%def name="stylesheets()"> -${parent.stylesheets()} -<style> -.searchResult { - border-style:dashed; - border-width:1px; - margin: 5px; -} -</style> + ${parent.stylesheets()} + <style> + .searchResult { + border-style:dashed; + border-width:1px; + margin: 5px; + } + </style> +</%def> + + +<%def name="javascripts()"> + ${parent.javascripts()} + ${h.js( + "libs/jquery/jquery", + )} + <script type="text/javascript"> + + function search_format_output(doc) { + var div_class = "historyItem"; + var a = $("<div class='" + div_class + "'>") + a.append($("<div>").append(doc['model_class'])); + b = a.append( $("<div class='historyItemTitle'><a href='/file/" + doc['id'] + "'>" + doc['name'] + "</a></div>") ); + if ('misc_blurb' in doc) { + b.append( $("<div>").append(doc["misc_blurb"]) ); + } + if ('peek' in doc) { + b.append( $("<pre class='peek'>").append( doc["peek"]) ); + } + return a; + } + + function doSearch(query) { + if (query.length > 1) { + var url = "/api/search"; + $.ajax({ + type : 'POST', + url: url, + data: JSON.stringify({"query" : query }), + contentType : 'application/json', + dataType : 'json', + success : function(data) { + var p = $("#output"); + p.empty(); + _.each(data.results, function(doc){ + var div_class = "historyItem"; + var a = $("<div class='" + div_class + "'>") + a.append($("<div>").append(doc['model_class'])); + b = a.append( $("<div class='historyItemTitle'><a href='/file/" + doc['id'] + "'>" + doc['name'] + "</a></div>") ); + if ('misc_blurb' in doc) { + b.append( $("<div>").append(doc["misc_blurb"]) ); + } + if ('peek' in doc) { + b.append( $("<pre class='peek'>").append( doc["peek"]) ); + } + p.append(b); + }); + } + }); + } + }; + + + var queryURL = function (query) { + var url = "/api/search" + encodeURIComponent(query); + url = url + "&field=" + $("#searchFields").val(); + if ($("#fileType").val() != "All") { + url = url + "&type=" + $("#fileType").val() + } + return url; + } + + $(document).ready( function() { + $("#search_button").click(function() { + doSearch($("#search_text").val()); + }); + $('#search_text').keyup(function(e){ + if(e.keyCode == 13) { + doSearch($("#search_text").val()); + } + }); + doSearch($("#search_text").val()); + }); + </script></%def> + <%def name="center_panel()"> -${search_init()} -<script type="text/javascript"> -var search_format_output = function(doc) { - var div_class = "historyItem"; - var a = $("<div class='" + div_class + "'>") - a.append($("<div>").append(doc['model_class'])); - b = a.append( $("<div class='historyItemTitle'><a href='/file/" + doc['id'] + "'>" + doc['name'] + "</a></div>") ); - if ('misc_blurb' in doc) { - b.append( $("<div>").append(doc["misc_blurb"]) ); - } - if ('peek' in doc) { - b.append( $("<pre class='peek'>").append( doc["peek"]) ); - } - return a; -} + <div id="search_box" style="margin: 20px;"> + <input type="text" id="search_text" size="90"/> + </div> + <div style="margin: 20px;"> + <input type="button" id="search_button" value="Search"/> + </div> + <div id="output"></div> -</script> -<div style="overflow: auto; height: 100%"> -${search_dialog("search_format_output")} -</div></%def> - - diff -r 3e3ac0894aba44bba95bce6dd6833e639e01f890 -r 3e7adbbe91a06d30a96e7a7101707e040376aba1 templates/webapps/galaxy/cloud/run.mako --- a/templates/webapps/galaxy/cloud/run.mako +++ /dev/null @@ -1,41 +0,0 @@ -<%inherit file="/webapps/galaxy/base_panels.mako"/> - -<%def name="init()"> -<% - self.has_left_panel=False - self.has_right_panel=False - self.active_view="shared" - self.message_box_visible=False -%> -</%def> - - -<%def name="center_panel()"> - <div style="overflow: auto; height: 100%;"> - <div class="page-container" style="padding: 10px;"> - <h2>Launching a Galaxy Cloud Instance</h2> -%if error: - <p>${error}</p> -%elif instance: - %if kp_material: - <h3>Very Important Key Pair Information</h3> - <p>A new key pair named '${kp_name}' has been created in your AWS - account and will be used to access this instance via ssh. It is - <strong>very important</strong> that you save the following private key - as it is not saved on this Galaxy instance and will be permanently lost - once you leave this page. To do this, save the following key block as - a plain text file named '${kp_name}'.</p> - <pre>${kp_material}</pre> - %endif - <p>The instance '${instance.id} has been successfully launched using the - '${instance.image_id}' AMI.<br/> Access it at <a - href="http://${instance.public_dns_name}">http://${instance.public_dns_name}</a></p> - <p>SSH access is available using your private key '${kp_name}'.</p> -%else: - <p> Unknown failure, no instance. Please refer to your AWS console at <a - href="https://console.aws.amazon.com">https://console.aws.amazon.com</a></p> -%endif - </div> - </div> -</%def> - Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.