24 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/8b4a7e48d052/ Changeset: 8b4a7e48d052 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize workflow and input dataset names in workflow run.mako. Affected #: 1 file diff -r 885f940bff64bbb6769fd31b21b0c73f4bfe1642 -r 8b4a7e48d052ef1c2275061c44827ad8b20ec57f templates/webapps/galaxy/workflow/run.mako --- a/templates/webapps/galaxy/workflow/run.mako +++ b/templates/webapps/galaxy/workflow/run.mako @@ -372,7 +372,7 @@ <% cls = "form-row" %> %endif <div class="${cls}"> - <label>${param.get_label()}</label> + <label>${param.get_label() | h}</label><div> %if isinstance( param, DataToolParameter ) or isinstance( param, DataCollectionToolParameter ): %if ( prefix + param.name ) in step.input_connections_by_name: @@ -474,7 +474,7 @@ <span class="action-button" id="hide_all_tool_body">Collapse</span></div> -<h2>Running workflow "${h.to_unicode( workflow.name )}"</h2> +<h2>Running workflow "${h.to_unicode( workflow.name ) | h}"</h2> %if has_upgrade_messages: <div class="warningmessage"> @@ -586,7 +586,7 @@ %else: <div class="toolForm"><div class="toolFormTitle"> - <span class='title_ul_text'>Step ${int(step.order_index)+1}: ${module.name}</span> + <span class='title_ul_text'>Step ${int(step.order_index)+1}: ${module.name | h}</span> % if step.annotations: <div class="step-annotation">${step.annotations[0].annotation}</div> % endif https://bitbucket.org/galaxy/galaxy-central/commits/bf1b90f6b3ba/ Changeset: bf1b90f6b3ba Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize display of workflow parameters in workflow run.mako. Affected #: 1 file diff -r 8b4a7e48d052ef1c2275061c44827ad8b20ec57f -r bf1b90f6b3baa794955a1b7d2bb7b4c4dea52219 templates/webapps/galaxy/workflow/run.mako --- a/templates/webapps/galaxy/workflow/run.mako +++ b/templates/webapps/galaxy/workflow/run.mako @@ -574,6 +574,7 @@ <% pja_ss_all = [] for pja_ss in [ActionBox.get_short_str(pja) for pja in step.post_job_actions]: + pja_ss = h.escape( pja_ss ) for rematch in re.findall('\$\{.+?\}', pja_ss): pja_ss = pja_ss.replace(rematch, '<span style="background-color:%s" class="wfpspan wf_parm__%s pja_wfp">%s</span>' % (wf_parms[rematch[2:-1]], rematch[2:-1], rematch[2:-1])) pja_ss_all.append(pja_ss) https://bitbucket.org/galaxy/galaxy-central/commits/a6708f36b062/ Changeset: a6708f36b062 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize workflow run.mako parameters not sanitized by tooling code. Affected #: 1 file diff -r bf1b90f6b3baa794955a1b7d2bb7b4c4dea52219 -r a6708f36b0624e60d266ba2a441aaf5a9143fd1d templates/webapps/galaxy/workflow/run.mako --- a/templates/webapps/galaxy/workflow/run.mako +++ b/templates/webapps/galaxy/workflow/run.mako @@ -444,7 +444,7 @@ %else: <span class="workflow_parameters"><span class="uneditable_field"> - ${param.value_to_display_text( value, app )} + ${param.value_to_display_text( value, app ) | h} </span><span class="editable_field"><span class="editable"> https://bitbucket.org/galaxy/galaxy-central/commits/76da60bbe585/ Changeset: 76da60bbe585 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: More sanitization in workflow display.mako. Affected #: 1 file diff -r a6708f36b0624e60d266ba2a441aaf5a9143fd1d -r 76da60bbe585f19fc968ba2aa4a5e226c02cd92e templates/webapps/galaxy/workflow/display.mako --- a/templates/webapps/galaxy/workflow/display.mako +++ b/templates/webapps/galaxy/workflow/display.mako @@ -40,7 +40,7 @@ <%def name="row_for_param( param, value, other_values, prefix, step )"><% cls = "form-row" %><div class="${cls}"> - <label>${param.get_label()}</label> + <label>${param.get_label() | h}</label><div> %if isinstance( param, DataToolParameter ) or isinstance( param, DataCollectionToolParameter ): %if ( prefix + param.name ) in step.input_connections_by_name: @@ -93,19 +93,19 @@ %><div class="toolForm"> %if tool: - <div class="toolFormTitle">Step ${int(step.order_index)+1}: ${tool.name}</div> + <div class="toolFormTitle">Step ${int(step.order_index)+1}: ${tool.name | h}</div><div class="toolFormBody"> ${do_inputs( tool.inputs, step.state.inputs, "", step )} </div> %else: - <div class="toolFormTitle">Step ${int(step.order_index)+1}: Unknown Tool with id '${step.tool_id}'</div> + <div class="toolFormTitle">Step ${int(step.order_index)+1}: Unknown Tool with id '${step.tool_id | h}'</div> %endif </div> %else: ## TODO: always input dataset? <% module = step.module %><div class="toolForm"> - <div class="toolFormTitle">Step ${int(step.order_index)+1}: ${module.name}</div> + <div class="toolFormTitle">Step ${int(step.order_index)+1}: ${module.name | h}</div><div class="toolFormBody"> ${do_inputs( module.get_runtime_inputs(), step.state.inputs, "", step )} </div> https://bitbucket.org/galaxy/galaxy-central/commits/8d095b5e0826/ Changeset: 8d095b5e0826 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize workflow name in message when extracting workflow from history. Affected #: 1 file diff -r 76da60bbe585f19fc968ba2aa4a5e226c02cd92e -r 8d095b5e0826b73abba81488fbd2a7f96e5327e0 lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -1228,7 +1228,7 @@ # Index page with message workflow_id = trans.security.encode_id( stored_workflow.id ) return trans.show_message( 'Workflow "%s" created from current history. You can <a href="%s" target="_parent">edit</a> or <a href="%s">run</a> the workflow.' % - ( workflow_name, url_for( controller='workflow', action='editor', id=workflow_id ), + ( escape( workflow_name ), url_for( controller='workflow', action='editor', id=workflow_id ), url_for( controller='workflow', action='run', id=workflow_id ) ) ) @web.expose https://bitbucket.org/galaxy/galaxy-central/commits/e739a6399e17/ Changeset: e739a6399e17 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize workflow name in myexperiment export. On the off chance that XML file ever gets interpreted as HTML. Shouldn't hurt anything for well behaved workflow names. Affected #: 1 file diff -r 8d095b5e0826b73abba81488fbd2a7f96e5327e0 -r e739a6399e177e45856bf0d80170628c0c0b4b04 templates/webapps/galaxy/workflow/myexp_export.mako --- a/templates/webapps/galaxy/workflow/myexp_export.mako +++ b/templates/webapps/galaxy/workflow/myexp_export.mako @@ -9,7 +9,7 @@ ## Generate request. <?xml version="1.0"?><workflow> - <title>${workflow_name}</title> + <title>${workflow_name | h}</title><description>${workflow_description}</description><type>Galaxy</type><content encoding="base64" type="binary"> https://bitbucket.org/galaxy/galaxy-central/commits/9b1a9ef2d8d0/ Changeset: 9b1a9ef2d8d0 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize tool id, name, and version during workflow import. Affected #: 1 file diff -r e739a6399e177e45856bf0d80170628c0c0b4b04 -r 9b1a9ef2d8d0342e458e460e95f0bdad8fd7d85c lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -1125,7 +1125,7 @@ message += "You can likely install the required tools from one of the Galaxy tool sheds listed below.<br/>" for missing_tool_tup in missing_tool_tups: missing_tool_id, missing_tool_name, missing_tool_version = missing_tool_tup - message += "<b>Tool name</b> %s, <b>id</b> %s, <b>version</b> %s<br/>" % ( missing_tool_name, missing_tool_id, missing_tool_version ) + message += "<b>Tool name</b> %s, <b>id</b> %s, <b>version</b> %s<br/>" % ( escape( missing_tool_name ), escape( missing_tool_id ), escape( missing_tool_version ) ) message += "<br/>" for shed_name, shed_url in trans.app.tool_shed_registry.tool_sheds.items(): if shed_url.endswith( '/' ): https://bitbucket.org/galaxy/galaxy-central/commits/e830ab78a2ce/ Changeset: e830ab78a2ce Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: More sanitization while handling fields from an imported workflow. Affected #: 1 file diff -r 9b1a9ef2d8d0342e458e460e95f0bdad8fd7d85c -r e830ab78a2ce408523da03ae9a3d2677ba7c6d5f lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -1135,7 +1135,7 @@ url += '&tool_id=' for missing_tool_tup in missing_tool_tups: missing_tool_id = missing_tool_tup[0] - url += '%s,' % missing_tool_id + url += '%s,' % escape( missing_tool_id ) message += '<a href="%s">%s</a><br/>' % ( url, shed_name ) status = 'error' if installed_repository_file or tool_shed_url: https://bitbucket.org/galaxy/galaxy-central/commits/368ae981718f/ Changeset: 368ae981718f Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: More sanitizing of workflow name and tool information during import. Affected #: 1 file diff -r e830ab78a2ce408523da03ae9a3d2677ba7c6d5f -r 368ae981718f9c0dc98c641598723d3a75616fe3 lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -1111,7 +1111,7 @@ message += "Imported, but this workflow contains cycles. " status = "error" else: - message += "Workflow <b>%s</b> imported successfully. " % workflow.name + message += "Workflow <b>%s</b> imported successfully. " % escape( workflow.name ) if missing_tool_tups: if trans.user_is_admin(): # A required tool is not available in the local Galaxy instance. @@ -1155,13 +1155,13 @@ pass if tool_shed_url: # We've received the textual representation of a workflow from a Galaxy tool shed. - message = "Workflow <b>%s</b> imported successfully." % workflow.name + message = "Workflow <b>%s</b> imported successfully." % escape( workflow.name ) url = '%s/workflow/view_workflow?repository_metadata_id=%s&workflow_name=%s&message=%s' % \ ( tool_shed_url, repository_metadata_id, encoding_util.tool_shed_encode( workflow_name ), message ) return trans.response.send_redirect( url ) elif installed_repository_file: # The workflow was read from a file included with an installed tool shed repository. - message = "Workflow <b>%s</b> imported successfully." % workflow.name + message = "Workflow <b>%s</b> imported successfully." % escape( workflow.name ) if cntrller == 'api': return status, message return trans.response.send_redirect( web.url_for( controller='admin_toolshed', https://bitbucket.org/galaxy/galaxy-central/commits/883191fe0d52/ Changeset: 883191fe0d52 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize workflow name and tool ids when running workflow with missing tools. Affected #: 1 file diff -r 368ae981718f9c0dc98c641598723d3a75616fe3 -r 883191fe0d5226748cb01237372e73ed0293e932 templates/webapps/galaxy/workflow/missing_tools.mako --- a/templates/webapps/galaxy/workflow/missing_tools.mako +++ b/templates/webapps/galaxy/workflow/missing_tools.mako @@ -1,6 +1,6 @@ <%inherit file="/base.mako"/> -<h2>Cannot run workflow "${h.to_unicode( workflow.name )}"</h2> +<h2>Cannot run workflow "${h.to_unicode( workflow.name ) | h}"</h2> %if workflow.annotation: <div class="workflow-annotation">${workflow.annotation}</div> @@ -11,7 +11,7 @@ <strong>This workflow utilizes tools which are unavailable, and cannot be run. Enable the tools listed below, or <a href="${h.url_for(controller='workflow', action='editor', id=trans.security.encode_id(workflow.id) )}" target="_parent">edit the workflow</a> to correct these errors.</strong><br/><ul> %for i, tool in enumerate( missing_tools ): - <li>${tool}</li> + <li>${tool | h}</li> %endfor </ul></div> \ No newline at end of file https://bitbucket.org/galaxy/galaxy-central/commits/f7c388aa4f64/ Changeset: f7c388aa4f64 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: Sanitize incoming workflow annotations during imports. Affected #: 1 file diff -r 883191fe0d5226748cb01237372e73ed0293e932 -r f7c388aa4f6492b0411028d69a853d8d9e6978c7 lib/galaxy/web/base/controller.py --- a/lib/galaxy/web/base/controller.py +++ b/lib/galaxy/web/base/controller.py @@ -1671,7 +1671,8 @@ stored.user = trans.user stored.published = publish if data[ 'annotation' ]: - self.add_item_annotation( trans.sa_session, stored.user, stored, data[ 'annotation' ] ) + annotation = sanitize_html( data[ 'annotation' ], 'utf-8', 'text/html' ) + self.add_item_annotation( trans.sa_session, stored.user, stored, annotation ) # Persist trans.sa_session.add( stored ) https://bitbucket.org/galaxy/galaxy-central/commits/0effe518ca21/ Changeset: 0effe518ca21 Branch: stable User: jmchilton Date: 2014-12-08 16:11:25+00:00 Summary: More workflow template sanitization during rename, copy, delete. Affected #: 2 files diff -r f7c388aa4f6492b0411028d69a853d8d9e6978c7 -r 0effe518ca213468e071b0e22c6e6e7276cbc40c lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -437,7 +437,7 @@ stored.latest_workflow.name = san_new_name trans.sa_session.flush() # For current workflows grid: - trans.set_message( "Workflow renamed to '%s'." % new_name ) + trans.set_message( "Workflow renamed to '%s'." % san_new_name ) return self.list( trans ) # For new workflows grid: #message = "Workflow renamed to '%s'." % new_name @@ -557,7 +557,7 @@ session.add( new_stored ) session.flush() # Display the management page - trans.set_message( 'Created new workflow with name "%s"' % new_stored.name ) + trans.set_message( 'Created new workflow with name "%s"' % escape( new_stored.name ) ) return self.list( trans ) @web.expose @@ -604,7 +604,7 @@ trans.sa_session.add( stored ) trans.sa_session.flush() # Display the management page - trans.set_message( "Workflow '%s' deleted" % stored.name ) + trans.set_message( "Workflow '%s' deleted" % escape( stored.name ) ) return self.list( trans ) @web.expose diff -r f7c388aa4f6492b0411028d69a853d8d9e6978c7 -r 0effe518ca213468e071b0e22c6e6e7276cbc40c templates/webapps/galaxy/workflow/rename.mako --- a/templates/webapps/galaxy/workflow/rename.mako +++ b/templates/webapps/galaxy/workflow/rename.mako @@ -15,7 +15,7 @@ %endif <div class="toolForm"> - <div class="toolFormTitle">Rename workflow '${stored.name}'</div> + <div class="toolFormTitle">Rename workflow '${stored.name | h}'</div><div class="toolFormBody"><form action="${h.url_for(controller='workflow', action='rename', id=trans.security.encode_id(stored.id) )}" method="POST"><div class="form-row"> @@ -23,7 +23,7 @@ New name </label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="new_name" value="${stored.name}" size="40"> + <input type="text" name="new_name" value="${stored.name | h}" size="40"></div><div style="clear: both"></div></div> https://bitbucket.org/galaxy/galaxy-central/commits/66dc08787b6f/ Changeset: 66dc08787b6f Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize all values in configure_menu.mako. Affected #: 1 file diff -r 0effe518ca213468e071b0e22c6e6e7276cbc40c -r 66dc08787b6feff55473bf1e032ce4517d28bb42 templates/webapps/galaxy/workflow/configure_menu.mako --- a/templates/webapps/galaxy/workflow/configure_menu.mako +++ b/templates/webapps/galaxy/workflow/configure_menu.mako @@ -1,4 +1,5 @@ <%inherit file="/webapps/galaxy/base_panels.mako"/> +<%page expression_filter="h"/><%def name="init()"><% https://bitbucket.org/galaxy/galaxy-central/commits/118df7eb098f/ Changeset: 118df7eb098f Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize workflow names in tool menu. Affected #: 1 file diff -r 66dc08787b6feff55473bf1e032ce4517d28bb42 -r 118df7eb098f83191b70d32a290becf9753160bf templates/webapps/galaxy/root/tool_menu.mako --- a/templates/webapps/galaxy/root/tool_menu.mako +++ b/templates/webapps/galaxy/root/tool_menu.mako @@ -82,7 +82,7 @@ %if t.user.stored_workflow_menu_entries: %for m in t.user.stored_workflow_menu_entries: <div class="toolTitle"> - <a href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(m.stored_workflow_id) )}" target="galaxy_main">${ util.unicodify( m.stored_workflow.name ) }</a> + <a href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(m.stored_workflow_id) )}" target="galaxy_main">${ util.unicodify( m.stored_workflow.name ) | h}</a></div> %endfor %endif https://bitbucket.org/galaxy/galaxy-central/commits/6d94a32edcd7/ Changeset: 6d94a32edcd7 Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize workflow and dataset names in run_complete.mako. Affected #: 1 file diff -r 118df7eb098f83191b70d32a290becf9753160bf -r 6d94a32edcd7c07f2ff9b14b651745092671a0e2 templates/webapps/galaxy/workflow/run_complete.mako --- a/templates/webapps/galaxy/workflow/run_complete.mako +++ b/templates/webapps/galaxy/workflow/run_complete.mako @@ -1,4 +1,5 @@ <%inherit file="/base.mako"/> +<%page expression_filter="h"/><div class="donemessagelarge"> Successfully ran workflow "${util.unicodify( workflow.name )}". The following datasets have been added to the queue: @@ -6,7 +7,7 @@ <div class="workflow-invocation-complete"> %if invocation['new_history']: <p>These datasets will appear in a new history: - <a target='galaxy_history' href="${h.url_for( controller='history', action='list', operation="Switch", id=trans.security.encode_id(invocation['new_history'].id), use_panels=False, show_deleted=False )}"> + <a target='galaxy_history' href="${h.url_for( controller='history', action='list', operation="Switch", id=trans.security.encode_id(invocation['new_history'].id), use_panels=False, show_deleted=False ) | n}"> '${h.to_unicode(invocation['new_history'].name)}'. </a></p> %endif https://bitbucket.org/galaxy/galaxy-central/commits/a9475110d9bc/ Changeset: a9475110d9bc Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize values in switching data parameter form. Affected #: 1 file diff -r 6d94a32edcd7c07f2ff9b14b651745092671a0e2 -r a9475110d9bcf52edc445de0ce5f66fecdc29e5b lib/galaxy/web/form_builder.py --- a/lib/galaxy/web/form_builder.py +++ b/lib/galaxy/web/form_builder.py @@ -563,7 +563,7 @@ html += '<input name="__switch_default__" type="hidden" value="%s" />' % self.default_field options = [] for name, delegate_field in self.delegate_fields.items(): - field = dumps( delegate_field.to_dict() ) + field = escape( dumps( delegate_field.to_dict() ) ) option = " '%s': %s" % ( name, field ) options.append( option ) html += '<script>$(document).ready( function() {\nvar switchOptions = {\n' https://bitbucket.org/galaxy/galaxy-central/commits/de60fe1e52fe/ Changeset: de60fe1e52fe Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitization for workflows_for_run.mako. Affected #: 1 file diff -r a9475110d9bcf52edc445de0ce5f66fecdc29e5b -r de60fe1e52fe56611629775affe698768f460581 templates/webapps/galaxy/workflow/list_for_run.mako --- a/templates/webapps/galaxy/workflow/list_for_run.mako +++ b/templates/webapps/galaxy/workflow/list_for_run.mako @@ -36,7 +36,7 @@ %for i, workflow in enumerate( workflows ): <tr><td> - <a href="${h.url_for(controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${h.to_unicode( workflow.name )}</a> + <a href="${h.url_for(controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${h.to_unicode( workflow.name ) | h}</a><a id="wf-${i}-popup" class="popup-arrow" style="display: none;">▼</a></td><td>${len(workflow.latest_workflow.steps)}</td> @@ -64,10 +64,10 @@ <% workflow = association.stored_workflow %><tr><td> - <a href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${workflow.name}</a> + <a href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${workflow.name | h}</a><a id="shared-${i}-popup" class="popup-arrow" style="display: none;">▼</a></td> - <td>${workflow.user.email}</td> + <td>${workflow.user.email | h}</td><td>${len(workflow.latest_workflow.steps)}</td></tr> %endfor https://bitbucket.org/galaxy/galaxy-central/commits/293f3ff27dcb/ Changeset: 293f3ff27dcb Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize user e-mail in workflow sharing actions. Affected #: 1 file diff -r de60fe1e52fe56611629775affe698768f460581 -r 293f3ff27dcb5f5b22d6dea3ac7274a309f0c36b lib/galaxy/webapps/galaxy/controllers/workflow.py --- a/lib/galaxy/webapps/galaxy/controllers/workflow.py +++ b/lib/galaxy/webapps/galaxy/controllers/workflow.py @@ -311,14 +311,14 @@ .first() if not other: mtype = "error" - msg = ( "User '%s' does not exist" % email ) + msg = ( "User '%s' does not exist" % escape( email ) ) elif other == trans.get_user(): mtype = "error" msg = ( "You cannot share a workflow with yourself" ) elif trans.sa_session.query( model.StoredWorkflowUserShareAssociation ) \ .filter_by( user=other, stored_workflow=stored ).count() > 0: mtype = "error" - msg = ( "Workflow already shared with '%s'" % email ) + msg = ( "Workflow already shared with '%s'" % escape( email ) ) else: share = model.StoredWorkflowUserShareAssociation() share.stored_workflow = stored @@ -326,7 +326,7 @@ session = trans.sa_session session.add( share ) session.flush() - trans.set_message( "Workflow '%s' shared with user '%s'" % ( stored.name, other.email ) ) + trans.set_message( "Workflow '%s' shared with user '%s'" % ( escape( stored.name ), escape( other.email ) ) ) return trans.response.send_redirect( url_for( controller='workflow', action='sharing', id=id ) ) return trans.fill_template( "/ind_share_base.mako", message=msg, https://bitbucket.org/galaxy/galaxy-central/commits/70403d601043/ Changeset: 70403d601043 Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: One last fix for workflow/list.mako. Affected #: 1 file diff -r 293f3ff27dcb5f5b22d6dea3ac7274a309f0c36b -r 70403d6010438350b3762a562bdfdd6846d91ea2 templates/webapps/galaxy/workflow/list.mako --- a/templates/webapps/galaxy/workflow/list.mako +++ b/templates/webapps/galaxy/workflow/list.mako @@ -94,7 +94,7 @@ <% workflow = association.stored_workflow %><tr><td> - <a class="menubutton" id="shared-${i}-popup" href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${h.to_unicode( workflow.name )}</a> + <a class="menubutton" id="shared-${i}-popup" href="${h.url_for( controller='workflow', action='run', id=trans.security.encode_id(workflow.id) )}">${h.to_unicode( workflow.name ) | h}</a></td><td>${workflow.user.email}</td><td>${len(workflow.latest_workflow.steps)}</td> https://bitbucket.org/galaxy/galaxy-central/commits/341c3a853e28/ Changeset: 341c3a853e28 Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Some comments to clarify working santization. Affected #: 2 files diff -r 70403d6010438350b3762a562bdfdd6846d91ea2 -r 341c3a853e28fb1177d5e212ef4a3220eba4fbdc lib/galaxy/security/validate_user_input.py --- a/lib/galaxy/security/validate_user_input.py +++ b/lib/galaxy/security/validate_user_input.py @@ -1,3 +1,9 @@ +""" +Utilities for validating inputs related to user objects. + +The validate_* methods in this file return simple messages that do not contain +user inputs - so these methods do not need to be escaped. +""" import logging import re diff -r 70403d6010438350b3762a562bdfdd6846d91ea2 -r 341c3a853e28fb1177d5e212ef4a3220eba4fbdc lib/galaxy/web/base/controller.py --- a/lib/galaxy/web/base/controller.py +++ b/lib/galaxy/web/base/controller.py @@ -2581,6 +2581,8 @@ def set_public_username( self, trans, id, username, **kwargs ): """ Set user's public username and delegate to sharing() """ user = trans.get_user() + # message from validate_publicname does not contain input, no need + # to escape. message = validate_publicname( trans, username, user ) if message: return trans.fill_template( '/sharing_base.mako', item=self.get_item( trans, id ), message=message, status='error' ) https://bitbucket.org/galaxy/galaxy-central/commits/f88707a93008/ Changeset: f88707a93008 Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize error message when unsharing history. Affected #: 1 file diff -r 341c3a853e28fb1177d5e212ef4a3220eba4fbdc -r f88707a930087d82a2a9bd63b73d5f62887c2d86 lib/galaxy/webapps/galaxy/controllers/history.py --- a/lib/galaxy/webapps/galaxy/controllers/history.py +++ b/lib/galaxy/webapps/galaxy/controllers/history.py @@ -659,7 +659,9 @@ for husa in husas: trans.sa_session.delete( husa ) if not deleted_sharing_relation: - message = "History '%s' does not seem to be shared with user '%s'" % ( history.name, user.email ) + history_name = escape( history.name ) + user_email = escape( user.email ) + message = "History '%s' does not seem to be shared with user '%s'" % ( history_name, user_email ) return trans.fill_template( '/sharing_base.mako', item=history, message=message, status='error' ) https://bitbucket.org/galaxy/galaxy-central/commits/8d8e43126e48/ Changeset: 8d8e43126e48 Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: More sanitization of tool ids during tool related activities. Affected #: 1 file diff -r f88707a930087d82a2a9bd63b73d5f62887c2d86 -r 8d8e43126e48e21546794ed5ff50beae5e6fe41a lib/galaxy/tools/__init__.py --- a/lib/galaxy/tools/__init__.py +++ b/lib/galaxy/tools/__init__.py @@ -66,6 +66,7 @@ from galaxy.util.template import fill_template from galaxy.web import url_for from galaxy.web.form_builder import SelectField +from galaxy.web.framework.helpers import escape from galaxy.model.item_attrs import Dictifiable from galaxy.model import Workflow from tool_shed.util import common_util @@ -734,7 +735,7 @@ success = True # Make sure the tool is actually loaded. if tool_id not in self.tools_by_id: - return None, False, "No tool with id %s" % tool_id + return None, False, "No tool with id %s" % escape( tool_id ) else: tool = self.tools_by_id[ tool_id ] tarball_files = [] @@ -843,7 +844,7 @@ replace the old tool. """ if tool_id not in self.tools_by_id: - message = "No tool with id %s" % tool_id + message = "No tool with id %s" % escape( tool_id ) status = 'error' else: old_tool = self.tools_by_id[ tool_id ] @@ -880,7 +881,7 @@ Attempt to remove the tool identified by 'tool_id'. """ if tool_id not in self.tools_by_id: - message = "No tool with id %s" % tool_id + message = "No tool with id %s" % escape( tool_id ) status = 'error' else: tool = self.tools_by_id[ tool_id ] https://bitbucket.org/galaxy/galaxy-central/commits/e461da2d5b6e/ Changeset: e461da2d5b6e Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: Sanitize user generated values in tool_executed.mako. Affected #: 1 file diff -r 8d8e43126e48e21546794ed5ff50beae5e6fe41a -r e461da2d5b6e8596297a19b93da107fe18bd449e templates/webapps/galaxy/tool_executed.mako --- a/templates/webapps/galaxy/tool_executed.mako +++ b/templates/webapps/galaxy/tool_executed.mako @@ -61,7 +61,7 @@ ${jobs_str} been successfully added to the queue - resulting in the following ${datasets_str}: </p> %for _, data in out_data: - <div style="padding: 10px"><b> ${data.hid}: ${data.name}</b></div> + <div style="padding: 10px"><b> ${data.hid}: ${data.name | h}</b></div> %endfor <p> @@ -83,7 +83,7 @@ <ul><!-- Styling on this list is a little flat. Consider identing these error messages. --> %for job_error in job_errors: - <li><b>${job_error}</b></li> + <li><b>${job_error | h}</b></li> %endfor </ul></div> https://bitbucket.org/galaxy/galaxy-central/commits/6619aac23f9b/ Changeset: 6619aac23f9b Branch: stable User: jmchilton Date: 2014-12-08 16:11:26+00:00 Summary: More sanitization related to sharing objects. Affected #: 4 files diff -r e461da2d5b6e8596297a19b93da107fe18bd449e -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 lib/galaxy/webapps/galaxy/controllers/page.py --- a/lib/galaxy/webapps/galaxy/controllers/page.py +++ b/lib/galaxy/webapps/galaxy/controllers/page.py @@ -499,14 +499,14 @@ .first() if not other: mtype = "error" - msg = ( "User '%s' does not exist" % email ) + msg = ( "User '%s' does not exist" % escape( email ) ) elif other == trans.get_user(): mtype = "error" msg = ( "You cannot share a page with yourself" ) elif trans.sa_session.query( model.PageUserShareAssociation ) \ .filter_by( user=other, page=page ).count() > 0: mtype = "error" - msg = ( "Page already shared with '%s'" % email ) + msg = ( "Page already shared with '%s'" % escape( email ) ) else: share = model.PageUserShareAssociation() share.page = page @@ -515,7 +515,9 @@ session.add( share ) self.create_item_slug( session, page ) session.flush() - trans.set_message( "Page '%s' shared with user '%s'" % ( page.title, other.email ) ) + page_title = escape( page.title ) + other_email = escape( other.email ) + trans.set_message( "Page '%s' shared with user '%s'" % ( page_title, other_email ) ) return trans.response.send_redirect( url_for( controller='page', action='sharing', id=id ) ) return trans.fill_template( "/ind_share_base.mako", message = msg, diff -r e461da2d5b6e8596297a19b93da107fe18bd449e -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 lib/galaxy/webapps/galaxy/controllers/visualization.py --- a/lib/galaxy/webapps/galaxy/controllers/visualization.py +++ b/lib/galaxy/webapps/galaxy/controllers/visualization.py @@ -535,14 +535,14 @@ .first() if not other: mtype = "error" - msg = ( "User '%s' does not exist" % email ) + msg = ( "User '%s' does not exist" % escape( email ) ) elif other == trans.get_user(): mtype = "error" msg = ( "You cannot share a visualization with yourself" ) elif trans.sa_session.query( model.VisualizationUserShareAssociation ) \ .filter_by( user=other, visualization=visualization ).count() > 0: mtype = "error" - msg = ( "Visualization already shared with '%s'" % email ) + msg = ( "Visualization already shared with '%s'" % escape( email ) ) else: share = model.VisualizationUserShareAssociation() share.visualization = visualization @@ -551,7 +551,9 @@ session.add( share ) self.create_item_slug( session, visualization ) session.flush() - trans.set_message( "Visualization '%s' shared with user '%s'" % ( visualization.title, other.email ) ) + viz_title = escape( visualization.title ) + other_email = escape( other.email ) + trans.set_message( "Visualization '%s' shared with user '%s'" % ( viz_title, other_email ) ) return trans.response.send_redirect( web.url_for(controller='visualization', action='sharing', id=id ) ) return trans.fill_template( "/ind_share_base.mako", message = msg, diff -r e461da2d5b6e8596297a19b93da107fe18bd449e -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 templates/embed_base.mako --- a/templates/embed_base.mako +++ b/templates/embed_base.mako @@ -51,7 +51,7 @@ </div><h4><a class="toggle-embed" href="${display_href}" title="Show or hide ${item_display_name} content">Galaxy ${get_class_display_name( item.__class__ )} | ${get_item_name( item ) | h}</a></h4> %if hasattr( item, "annotation") and item.annotation: - <div class="annotation">${item.annotation}</div> + <div class="annotation">${item.annotation | h}</div> %endif ## Use a hidden var to store the ajax URL for getting an item's content. diff -r e461da2d5b6e8596297a19b93da107fe18bd449e -r 6619aac23f9bfe8d5ef59dc188359044e2ae25f7 templates/ind_share_base.mako --- a/templates/ind_share_base.mako +++ b/templates/ind_share_base.mako @@ -91,7 +91,7 @@ Email address of user to share with </label><div style="float: left; width: 250px; margin-right: 10px;"> - <input type="text" name="email" value="${email}" size="40"> + <input type="text" name="email" value="${email | h}" size="40"></div><div style="clear: both"></div></div> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.