1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/f26afae68417/ Changeset: f26afae68417 User: jmchilton Date: 2014-02-26 17:32:13 Summary: Merge latest stable. Affected #: 3 files diff -r 2295745a2888e74a518bdd6d7189d10031cbbf7d -r f26afae68417905a7f662671a18ca551f39ecf5f lib/galaxy/config.py --- a/lib/galaxy/config.py +++ b/lib/galaxy/config.py @@ -207,6 +207,7 @@ self.log_actions = string_as_bool( kwargs.get( 'log_actions', 'False' ) ) self.log_events = string_as_bool( kwargs.get( 'log_events', 'False' ) ) self.sanitize_all_html = string_as_bool( kwargs.get( 'sanitize_all_html', True ) ) + self.serve_xss_vulnerable_mimetypes = string_as_bool( kwargs.get( 'serve_xss_vulnerable_mimetypes', False ) ) self.enable_old_display_applications = string_as_bool( kwargs.get( "enable_old_display_applications", "True" ) ) self.ucsc_display_sites = kwargs.get( 'ucsc_display_sites', "main,test,archaea,ucla" ).lower().split(",") self.gbrowse_display_sites = kwargs.get( 'gbrowse_display_sites', "modencode,sgd_yeast,tair,wormbase,wormbase_ws120,wormbase_ws140,wormbase_ws170,wormbase_ws180,wormbase_ws190,wormbase_ws200,wormbase_ws204,wormbase_ws210,wormbase_ws220,wormbase_ws225" ).lower().split(",") diff -r 2295745a2888e74a518bdd6d7189d10031cbbf7d -r f26afae68417905a7f662671a18ca551f39ecf5f lib/galaxy/datatypes/data.py --- a/lib/galaxy/datatypes/data.py +++ b/lib/galaxy/datatypes/data.py @@ -21,6 +21,12 @@ eggs.require( "Paste" ) import paste +XSS_VULNERABLE_MIME_TYPES = [ + 'image/svg+xml', # Unfiltered by Galaxy and may contain JS that would be executed by some browsers. + 'application/xml', # Some browsers will evalute SVG embedded JS in such XML documents. +] +DEFAULT_MIME_TYPE = 'text/plain' # Vulnerable mime types will be replaced with this. + log = logging.getLogger(__name__) comptypes=[] # Is this being used anywhere, why was this here? -JohnC @@ -334,11 +340,12 @@ mime = trans.app.datatypes_registry.get_mimetype_by_extension( ".".split( file_path )[-1] ) except: mime = "text/plain" - trans.response.set_content_type( mime ) + self._clean_and_set_mime_type( trans, mime ) return open( file_path ) else: return trans.show_error_message( "Could not find '%s' on the extra files path %s." % ( filename, file_path ) ) - trans.response.set_content_type(data.get_mime()) + self._clean_and_set_mime_type( trans, data.get_mime() ) + trans.log_event( "Display dataset id: %s" % str( data.id ) ) from galaxy import datatypes #DBTODO REMOVE THIS AT REFACTOR if to_ext or isinstance(data.datatype, datatypes.binary.Binary): # Saving the file, or binary file @@ -624,6 +631,12 @@ dataset_source = dataproviders.dataset.DatasetDataProvider( dataset ) return dataproviders.chunk.Base64ChunkDataProvider( dataset_source, **settings ) + def _clean_and_set_mime_type(self, trans, mime): + if mime.lower() in XSS_VULNERABLE_MIME_TYPES: + if not getattr( trans.app.config, "serve_xss_vulnerable_mimetypes", True ): + mime = DEFAULT_MIME_TYPE + trans.response.set_content_type( mime ) + @dataproviders.decorators.has_dataproviders class Text( Data ): diff -r 2295745a2888e74a518bdd6d7189d10031cbbf7d -r f26afae68417905a7f662671a18ca551f39ecf5f universe_wsgi.ini.sample --- a/universe_wsgi.ini.sample +++ b/universe_wsgi.ini.sample @@ -507,6 +507,12 @@ # unaltered output. #sanitize_all_html = True +# By default Galaxy will serve non-HTML tool output that may potentially +# contain browser executable JavaScript content as plain text. This will for +# instance cause SVG datasets to not render properly and so may be disabled +# by setting the following option to True. +#serve_xss_vulnerable_mimetypes = False + # Debug enables access to various config options useful for development and # debugging: use_lint, use_profile, use_printdebug and use_interactive. It # also causes the files used by PBS/SGE (submission script, output, and error) Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.