2 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/06100e9a5626/ Changeset: 06100e9a5626 Branch: next-stable User: jmchilton Date: 2014-11-26 13:57:49+00:00 Summary: galaxy.ini.sample doc clarifications. Fix typo caught by Martin. Add warning message about why public servers should not disable sanitize_all_html. Affected #: 1 file diff -r 9925a5adf6c4b65d3242d99bc16138839ad7ef21 -r 06100e9a5626c38f3182e353470e882c29564c63 config/galaxy.ini.sample --- a/config/galaxy.ini.sample +++ b/config/galaxy.ini.sample @@ -523,13 +523,14 @@ # it faster on the fly. #upstream_gzip = False -# The following default adds a header to web request responses that will cause -# modern web browsers to not allow Galaxy to be embedded in the frames of web -# applications hosted at other hosts - this can help prevent a class of attack -# called clickjacking (https://www.owasp.org/index.php/Clickjacking). If you -# configuring a proxy to sit infront of Galaxy - please ensure this header -# remains intact to protect your users. Uncomment and leave empty to not set -# the `X-Frame-Options` header. +# The following default adds a header to web request responses that +# will cause modern web browsers to not allow Galaxy to be embedded in +# the frames of web applications hosted at other hosts - this can help +# prevent a class of attack called clickjacking +# (https://www.owasp.org/index.php/Clickjacking). If you configure a +# proxy in front of Galaxy - please ensure this header remains intact +# to protect your users. Uncomment and leave empty to not set the +# `X-Frame-Options` header. #x_frame_options = SAMEORIGIN # nginx can also handle file uploads (user-to-Galaxy) via nginx_upload_module. @@ -586,10 +587,11 @@ # log_events and log_actions functionality will eventually be merged. #log_actions = True -# Sanitize All HTML Tool Output -# By default, all tool output served as 'text/html' will be sanitized -# thoroughly. This can be disabled if you have special tools that require -# unaltered output. +# Sanitize All HTML Tool Output By default, all tool output served as +# 'text/html' will be sanitized thoroughly. This can be disabled if +# you have special tools that require unaltered output. WARNING: +# Disabling this does make the Galxy instance susceptible to XSS +# attacks initiated by your users. #sanitize_all_html = True # By default Galaxy will serve non-HTML tool output that may potentially https://bitbucket.org/galaxy/galaxy-central/commits/d32c333831cc/ Changeset: d32c333831cc User: jmchilton Date: 2014-11-26 13:58:14+00:00 Summary: Merge next-stable. Affected #: 1 file diff -r bf6fe8748b4d6f9096e9aa11f5abe7abcd372e27 -r d32c333831cc36c13430ca17ab893cab79554873 config/galaxy.ini.sample --- a/config/galaxy.ini.sample +++ b/config/galaxy.ini.sample @@ -523,13 +523,14 @@ # it faster on the fly. #upstream_gzip = False -# The following default adds a header to web request responses that will cause -# modern web browsers to not allow Galaxy to be embedded in the frames of web -# applications hosted at other hosts - this can help prevent a class of attack -# called clickjacking (https://www.owasp.org/index.php/Clickjacking). If you -# configuring a proxy to sit infront of Galaxy - please ensure this header -# remains intact to protect your users. Uncomment and leave empty to not set -# the `X-Frame-Options` header. +# The following default adds a header to web request responses that +# will cause modern web browsers to not allow Galaxy to be embedded in +# the frames of web applications hosted at other hosts - this can help +# prevent a class of attack called clickjacking +# (https://www.owasp.org/index.php/Clickjacking). If you configure a +# proxy in front of Galaxy - please ensure this header remains intact +# to protect your users. Uncomment and leave empty to not set the +# `X-Frame-Options` header. #x_frame_options = SAMEORIGIN # nginx can also handle file uploads (user-to-Galaxy) via nginx_upload_module. @@ -586,10 +587,11 @@ # log_events and log_actions functionality will eventually be merged. #log_actions = True -# Sanitize All HTML Tool Output -# By default, all tool output served as 'text/html' will be sanitized -# thoroughly. This can be disabled if you have special tools that require -# unaltered output. +# Sanitize All HTML Tool Output By default, all tool output served as +# 'text/html' will be sanitized thoroughly. This can be disabled if +# you have special tools that require unaltered output. WARNING: +# Disabling this does make the Galxy instance susceptible to XSS +# attacks initiated by your users. #sanitize_all_html = True # By default Galaxy will serve non-HTML tool output that may potentially Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.