2 new commits in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/39b03ce9d101/ Changeset: 39b03ce9d101 User: guerler Date: 2014-12-08 20:34:11+00:00 Summary: Security fixes for assigned templates Affected #: 4 files diff -r 864fdca5b06e6f15040298a316746448d09cdb40 -r 39b03ce9d101f7177c51342172ba9bab540ee257 templates/webapps/galaxy/tracks/history_datasets_select_grid.mako --- a/templates/webapps/galaxy/tracks/history_datasets_select_grid.mako +++ b/templates/webapps/galaxy/tracks/history_datasets_select_grid.mako @@ -1,5 +1,5 @@ <%inherit file="/tracks/history_select_grid.mako"/><%def name="title()"> - <h2>History '${grid.get_current_item( trans, **kwargs ).name}'</h2> + <h2>History '${grid.get_current_item( trans, **kwargs ).name | h}'</h2></%def> diff -r 864fdca5b06e6f15040298a316746448d09cdb40 -r 39b03ce9d101f7177c51342172ba9bab540ee257 templates/webapps/galaxy/tracks/index.mako --- a/templates/webapps/galaxy/tracks/index.mako +++ /dev/null @@ -1,38 +0,0 @@ -<form id="form" method="POST"> - <div class="form-row"> - <label for="dbkey">Browser name:</label> - <div class="form-row-input"> - <input type="text" name="title" id="title" value="Unnamed Browser"></input> - </div> - <div style="clear: both;"></div> - </div> - <div class="form-row"> - <label for="dbkey">Reference genome build (dbkey): </label> - <div class="form-row-input"> - <select name="dbkey" id="dbkey" refresh_on_change="true"> - %for tmp_dbkey in dbkey_set: - <option value="${tmp_dbkey}" - %if tmp_dbkey == dbkey: - selected="selected" - %endif - >${tmp_dbkey}</option> - %endfor - </select> - </div> - <div style="clear: both;"></div> - </div> - <div class="form-row"> - <label for="dataset_ids">Datasets to visualize: (${", ".join(available_tracks)} files are supported)</label> - %for dataset_id, (dataset_ext, dataset_name) in datasets.iteritems(): - <div> - <input type="checkbox" id="${dataset_id}" name="dataset_ids" value="${dataset_id}" /> - <label style="display:inline; font-weight: normal" for="${dataset_id}">[${dataset_ext}] ${dataset_name}</label> - </div> - %endfor - - <div style="clear: both;"></div> - </div> - <div class="form-row"> - <input type="submit" name="browse" value="Browse"/> - </div> -</form> diff -r 864fdca5b06e6f15040298a316746448d09cdb40 -r 39b03ce9d101f7177c51342172ba9bab540ee257 templates/webapps/galaxy/tracks/library_datasets_select_grid.mako --- a/templates/webapps/galaxy/tracks/library_datasets_select_grid.mako +++ b/templates/webapps/galaxy/tracks/library_datasets_select_grid.mako @@ -2,7 +2,7 @@ <%namespace file='/library/common/browse_library.mako' import="render_content, grid_javascripts" /><%def name="title()"> - <h2>History '${grid.get_current_item( trans, **kwargs ).name}'</h2> + <h2>History '${grid.get_current_item( trans, **kwargs ).name | h}'</h2></%def> ${select_header()} diff -r 864fdca5b06e6f15040298a316746448d09cdb40 -r 39b03ce9d101f7177c51342172ba9bab540ee257 templates/webapps/galaxy/visualization/phyloviz.mako --- a/templates/webapps/galaxy/visualization/phyloviz.mako +++ b/templates/webapps/galaxy/visualization/phyloviz.mako @@ -196,7 +196,7 @@ <p>Select a tree to view: <select id="phylovizNexSelector"> % for tree, index in data["trees"]: - <option value="${index}">${tree}</option> + <option value="${index | h}">${tree | h}</option> % endfor </select></p> https://bitbucket.org/galaxy/galaxy-central/commits/0fb0c56af3cf/ Changeset: 0fb0c56af3cf User: guerler Date: 2014-12-08 20:38:01+00:00 Summary: Parameters: Handle missing context Affected #: 1 file diff -r 39b03ce9d101f7177c51342172ba9bab540ee257 -r 0fb0c56af3cf25bb8c3bb366d34c6aedcbb9df14 lib/galaxy/tools/parameters/basic.py --- a/lib/galaxy/tools/parameters/basic.py +++ b/lib/galaxy/tools/parameters/basic.py @@ -767,7 +767,10 @@ if self.options: return self.options.get_options( trans, other_values ) elif self.dynamic_options: - return eval( self.dynamic_options, self.tool.code_namespace, other_values ) + try: + return eval( self.dynamic_options, self.tool.code_namespace, other_values ) + except Exception: + return [] else: return self.static_options @@ -779,7 +782,10 @@ if self.options: return map( _get_UnvalidatedValue_value, set( v for _, v, _ in self.options.get_options( trans, other_values ) ) ) elif self.dynamic_options: - return set( v for _, v, _ in eval( self.dynamic_options, self.tool.code_namespace, other_values ) ) + try: + return set( v for _, v, _ in eval( self.dynamic_options, self.tool.code_namespace, other_values ) ) + except Exception: + return set() else: return self.legal_values Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.