1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/f76fb3c40d55/ Changeset: f76fb3c40d55 Branch: stable User: martenson Date: 2014-12-05 16:54:22+00:00 Summary: Merged in natefoo/galaxy-central/stable (pull request #588) [STABLE] XSS fixes for remaining user templates and a few other security fixes Affected #: 6 files diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 lib/galaxy/tools/filters/__init__.py --- a/lib/galaxy/tools/filters/__init__.py +++ b/lib/galaxy/tools/filters/__init__.py @@ -1,6 +1,10 @@ +import logging from galaxy.util import listify from copy import deepcopy +log = logging.getLogger( __name__ ) + + class FilterFactory( object ): """ An instance of this class is responsible for filtering the list @@ -37,17 +41,21 @@ elif name == 'toolbox_label_filters': category = "label" if category: - self.__init_filters( category, user_filters, filters ) + validate = getattr( trans.app.config, 'user_%s_filters' % category, [] ) + self.__init_filters( category, user_filters, filters, validate=validate ) else: if kwds.get( "trackster", False ): filters[ "tool" ].append( _has_trackster_conf ) return filters - def __init_filters( self, key, filters, toolbox_filters ): + def __init_filters( self, key, filters, toolbox_filters, validate=None ): for filter in filters: - filter_function = self.__build_filter_function( filter ) - toolbox_filters[ key ].append( filter_function ) + if validate is None or filter in validate or filter in self.default_filters: + filter_function = self.__build_filter_function( filter ) + toolbox_filters[ key ].append( filter_function ) + else: + log.warning( "Refusing to load %s filter '%s' which is not defined in config", key, filter ) return toolbox_filters def __build_filter_function( self, filter_name ): diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -295,7 +295,7 @@ message=message, status='info' ) ) if redirect: - return trans.response.send_redirect( redirect ) + return trans.response.send_redirect( self.__get_redirect_url( redirect ) ) return trans.response.send_redirect( url_for( controller='user', action='openid_manage', use_panels=use_panels, @@ -347,7 +347,7 @@ message=message, status='info' ) ) if redirect: - return trans.response.send_redirect( redirect ) + return trans.response.send_redirect( self.__get_redirect_url( redirect ) ) return trans.response.send_redirect( url_for( controller='user', action='openid_manage', use_panels=use_panels, @@ -453,7 +453,7 @@ redirect = self.__get_redirect_url( kwd.get( 'redirect', trans.request.referer ).strip() ) redirect_url = '' # always start with redirect_url being empty use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) - message = kwd.get( 'message', '' ) + message = escape( kwd.get( 'message', '' ) ) status = kwd.get( 'status', 'done' ) header = '' user = trans.user @@ -606,7 +606,7 @@ refresh_frames = [ 'masthead' ] trans.handle_user_logout( logout_all=logout_all ) message = 'You have been logged out.<br>You can log in again, <a target="_top" href="%s">go back to the page you were visiting</a> or <a target="_top" href="%s">go to the home page</a>.' % \ - ( trans.request.referer, url_for( '/' ) ) + ( escape( trans.request.referer ), url_for( '/' ) ) if biostar.biostar_logged_in( trans ): biostar_url = biostar.biostar_logout( trans ) if biostar_url: @@ -629,7 +629,7 @@ if honeypot_field != '': return trans.show_error_message( "You've been flagged as a possible bot. If you are not, please try registering again and fill the form out carefully. <a target=\"_top\" href=\"%s\">Go to the home page</a>." ) % url_for( '/' ) - message = util.restore_text( params.get( 'message', '' ) ) + message = escape( util.restore_text( params.get( 'message', '' ) ) ) status = params.get( 'status', 'done' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', True ) ) email = util.restore_text( params.get( 'email', '' ) ) @@ -659,9 +659,11 @@ # Create the user, save all the user info and login to Galaxy if params.get( 'create_user_button', False ): # Check email and password validity + # Note: message does not need to be escaped (it is clean) message = self.__validate( trans, params, email, password, confirm, username ) if not message: # All the values are valid + # message does not need to be escaped here either message, status, user, success = self.__register( trans, cntrller, subscribe_checked, @@ -675,7 +677,7 @@ trans.log_event( "User created a new account" ) trans.log_event( "User logged in" ) if success and is_admin: - message = 'Created new user account (%s)' % user.email + message = 'Created new user account (%s)' % escape( user.email ) trans.response.send_redirect( web.url_for( controller='admin', action='users', cntrller=cntrller, @@ -743,7 +745,7 @@ if subscribe_checked: # subscribe user to email list if trans.app.config.smtp_server is None: - error = "Now logged in as " + user.email + ". However, subscribing to the mailing list has failed because mail is not configured for this Galaxy instance. <br>Please contact your local Galaxy administrator." + error = "Now logged in as " + escape( user.email ) + ". However, subscribing to the mailing list has failed because mail is not configured for this Galaxy instance. <br>Please contact your local Galaxy administrator." else: body = 'Join Mailing list.\n' to = trans.app.config.mailing_join_addr @@ -752,7 +754,7 @@ try: util.send_mail( frm, to, subject, body, trans.app.config ) except: - error = "Now logged in as " + user.email + ". However, subscribing to the mailing list has failed." + error = "Now logged in as " + escape( user.email ) + ". However, subscribing to the mailing list has failed." if not error and not is_admin: # The handle_user_login() method has a call to the history_set_default_permissions() method # (needed when logging in with a history), user needs to have default permissions set before logging in @@ -762,7 +764,7 @@ elif not error: trans.response.send_redirect( web.url_for( controller='admin', action='users', - message='Created new user account (%s)' % user.email, + message='Created new user account (%s)' % escape( user.email ), status=status ) ) if error: message = error @@ -772,7 +774,7 @@ if trans.webapp.name == 'galaxy' and trans.app.config.user_activation_on: is_activation_sent = self.send_verification_email( trans, email, username ) if is_activation_sent: - message = 'Now logged in as %s.<br>Verification email has been sent to your email address. Please verify it by clicking the activation link in the email.<br>Please check your spam/trash folder in case you cannot find the message.<br><a target="_top" href="%s">Return to the home page.</a>' % ( user.email, url_for( '/' ) ) + message = 'Now logged in as %s.<br>Verification email has been sent to your email address. Please verify it by clicking the activation link in the email.<br>Please check your spam/trash folder in case you cannot find the message.<br><a target="_top" href="%s">Return to the home page.</a>' % ( escape( user.email ), url_for( '/' ) ) success = True else: message = 'Unable to send activation email, please contact your local Galaxy administrator.' @@ -780,7 +782,7 @@ message += ' Contact: %s' % trans.app.config.error_email_to success = False else: # User activation is OFF, proceed without sending the activation email. - message = 'Now logged in as %s.<br><a target="_top" href="%s">Return to the home page.</a>' % ( user.email, url_for( '/' ) ) + message = 'Now logged in as %s.<br><a target="_top" href="%s">Return to the home page.</a>' % ( escape( user.email ), url_for( '/' ) ) success = True return ( message, status, user, success ) @@ -970,7 +972,7 @@ user.username = username trans.sa_session.add( user ) trans.sa_session.flush() - message = 'The username has been updated with the changes.' + message = 'The username has been updated to: %s' % escape( username ) return trans.fill_template( '/user/username.mako', cntrller=cntrller, user=user, @@ -1177,7 +1179,7 @@ message = 'Default new history permissions have been changed.' return trans.fill_template( 'user/permissions.mako', cntrller=cntrller, - message=message, + message=escape( message ), status=status ) else: # User not logged in, history group must be only public @@ -1228,57 +1230,48 @@ filters.append( dict( filterpath=filter_name, short_desc=sdesc, desc=description, checked=False ) ) return filters - params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - status = params.get( 'status', 'done' ) + saved_user_tool_filters = list() + saved_user_section_filters = list() + saved_user_label_filters = list() - user_id = params.get( 'user_id', False ) - if user_id: - user = trans.sa_session.query( trans.app.model.User ).get( trans.security.decode_id( user_id ) ) - else: - user = trans.user + for name, value in trans.user.preferences.items(): + if name == 'toolbox_tool_filters': + saved_user_tool_filters = listify( value, do_strip=True ) + elif name == 'toolbox_section_filters': + saved_user_section_filters = listify( value, do_strip=True ) + elif name == 'toolbox_label_filters': + saved_user_label_filters = listify( value, do_strip=True ) - if user: - saved_user_tool_filters = list() - saved_user_section_filters = list() - saved_user_label_filters = list() + tool_filters = get_filter_mapping( saved_user_tool_filters, trans.app.config.user_tool_filters ) + section_filters = get_filter_mapping( saved_user_section_filters, trans.app.config.user_section_filters ) + label_filters = get_filter_mapping( saved_user_label_filters, trans.app.config.user_label_filters ) - for name, value in user.preferences.items(): - if name == 'toolbox_tool_filters': - saved_user_tool_filters = listify( value, do_strip=True ) - elif name == 'toolbox_section_filters': - saved_user_section_filters = listify( value, do_strip=True ) - elif name == 'toolbox_label_filters': - saved_user_label_filters = listify( value, do_strip=True ) + message = escape( util.restore_text( kwd.get( 'message', '' ) ) ) + status = util.restore_text( kwd.get( 'status', 'done' ) ) - tool_filters = get_filter_mapping( saved_user_tool_filters, trans.app.config.user_tool_filters ) - section_filters = get_filter_mapping( saved_user_section_filters, trans.app.config.user_section_filters ) - label_filters = get_filter_mapping( saved_user_label_filters, trans.app.config.user_label_filters ) - - return trans.fill_template( 'user/toolbox_filters.mako', - cntrller=cntrller, - message=message, - tool_filters=tool_filters, - section_filters=section_filters, - label_filters=label_filters, - user=user, - status=status ) - else: - # User not logged in, history group must be only public - return trans.show_error_message( "You must be logged in to change private toolbox filters." ) + return trans.fill_template( 'user/toolbox_filters.mako', + cntrller=cntrller, + message=message, + tool_filters=tool_filters, + section_filters=section_filters, + label_filters=label_filters, + user=trans.user, + status=status) @web.expose @web.require_login( "to change the private toolbox filters" ) def edit_toolbox_filters( self, trans, cntrller, **kwd ): + def validate( user_filters, filter_type ): + rval = [] + config_filters = getattr( trans.app.config, 'user_%s_filters' % filter_type, [] ) + for f in user_filters: + if f not in config_filters: + log.warning( 'User provided filter %s which is not in user_%s_filters', f, filter_type ) + else: + rval.append( f ) + return rval + params = util.Params( kwd ) - message = util.restore_text( params.get( 'message', '' ) ) - user_id = params.get( 'user_id', False ) - if not user_id: - # User must be logged in to create a new address - return trans.show_error_message( "You must be logged in to change the ToolBox filters." ) - - user = trans.sa_session.query( trans.app.model.User ).get( trans.security.decode_id( user_id ) ) - if params.get( 'edit_toolbox_filter_button', False ): tool_filters = list() section_filters = list() @@ -1291,13 +1284,13 @@ label_filters.append( name[2:] ) elif name.startswith('s_'): section_filters.append( name[2:] ) - user.preferences['toolbox_tool_filters'] = ','.join( tool_filters ) - user.preferences['toolbox_section_filters'] = ','.join( section_filters ) - user.preferences['toolbox_label_filters'] = ','.join( label_filters ) + trans.user.preferences['toolbox_tool_filters'] = ','.join( validate( tool_filters, 'tool' ) ) + trans.user.preferences['toolbox_section_filters'] = ','.join( validate( section_filters, 'section' ) ) + trans.user.preferences['toolbox_label_filters'] = ','.join( validate( label_filters, 'label' ) ) - trans.sa_session.add( user ) + trans.sa_session.add( trans.user ) trans.sa_session.flush() - message = 'ToolBox filters has been updated.' + message = 'ToolBox filters have been updated.' kwd = dict( message=message, status='done' ) # Display the ToolBox filters form with the current values filled in diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 templates/user/dbkeys.mako --- a/templates/user/dbkeys.mako +++ b/templates/user/dbkeys.mako @@ -148,7 +148,7 @@ Processing % endif </td> - <td><form action="dbkeys" method="post"><input type="hidden" name="key" value="${key}" /><input type="submit" name="delete" value="Delete" /></form></td> + <td><form action="dbkeys" method="post"><input type="hidden" name="key" value="${key | h}" /><input type="submit" name="delete" value="Delete" /></form></td></tr> % endfor </table> @@ -194,7 +194,7 @@ <div style="clear: both; padding-bottom: 0.5em"></div><select id="fasta_input" name="dataset_id"> %for dataset in fasta_hdas: - <option value="${trans.security.encode_id( dataset.id )}">${dataset.hid}: ${dataset.name}</option> + <option value="${trans.security.encode_id( dataset.id )}">${dataset.hid | h}: ${dataset.name | h}</option> %endfor </select><input type="file" id="len_file_input" name="len_file" /></input> diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 templates/user/openid_associate.mako --- a/templates/user/openid_associate.mako +++ b/templates/user/openid_associate.mako @@ -48,13 +48,13 @@ The following OpenIDs will be associated with the account chosen or created below. <ul> %for openid in openids: - <li>${openid.openid}</li> + <li>${openid.openid | h}</li> %endfor </ul></div> %else: <div> - The OpenID <strong>${openids[0].openid}</strong> will be associated with the account chosen or created. + The OpenID <strong>${openids[0].openid | h}</strong> will be associated with the account chosen or created. </div> %endif <br/> diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 templates/user/toolbox_filters.mako --- a/templates/user/toolbox_filters.mako +++ b/templates/user/toolbox_filters.mako @@ -15,7 +15,7 @@ %if tool_filters or section_filters or label_filters: <div class="toolForm"> - <form name="toolbox_filter" id="toolbox_filter" action="${h.url_for( controller='user', action='edit_toolbox_filters', cntrller=cntrller, user_id=trans.security.encode_id( user.id ) )}" method="post" > + <form name="toolbox_filter" id="toolbox_filter" action="${h.url_for( controller='user', action='edit_toolbox_filters', cntrller=cntrller )}" method="post" > % if tool_filters: <div class="toolFormTitle">Edit ToolBox filters :: Tools</div><div class="toolFormBody"> @@ -87,5 +87,5 @@ </form></div> %else: - ${render_msg( 'No filter available. Contact you system administrator or check your configuration file.', 'info' )} + ${render_msg( 'No filters available. Contact your system administrator or check your configuration file.', 'info' )} %endif diff -r de92a7b850332c0d3c8ef393c1ff0db98f4b37f7 -r f76fb3c40d55adf4f84acfdf26194d323f860df6 templates/user/username.mako --- a/templates/user/username.mako +++ b/templates/user/username.mako @@ -1,4 +1,9 @@ <%inherit file="/base.mako"/> +<%namespace file="/message.mako" import="render_msg" /> + +%if message: + ${render_msg( message, status )} +%endif <% is_admin = cntrller == 'admin' and trans.user_is_admin() %> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.