1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/changeset/36ca2ecd42fd/ changeset: 36ca2ecd42fd user: dannon date: 2012-09-24 19:55:35 summary: Prevent potential login XSS. affected #: 2 files diff -r 327632b4f9992b2c3f4b9c6f705bed1f4e05914d -r 36ca2ecd42fdbc581b0caa253b66a136aa0f848a lib/galaxy/web/controllers/user.py --- a/lib/galaxy/web/controllers/user.py +++ b/lib/galaxy/web/controllers/user.py @@ -395,6 +395,7 @@ use_panels=use_panels, message=message, status=status ) ) + @web.expose @web.require_login( 'manage OpenIDs' ) def openid_manage( self, trans, webapp='galaxy', **kwd ): @@ -409,10 +410,10 @@ action='openid_disassociate', use_panels=use_panels, id=kwd['id'] ) ) - kwd['redirect'] = kwd.get( 'redirect', url_for( controller='user', action='openid_manage', use_panels=True ) ).strip() kwd['openid_providers'] = trans.app.openid_providers return self.user_openid_grid( trans, **kwd ) + @web.expose def login( self, trans, webapp='galaxy', redirect_url='', refresh_frames=[], **kwd ): '''Handle Galaxy Log in''' @@ -423,6 +424,9 @@ header = '' user = None email = kwd.get( 'email', '' ) + #Sanitize webapp login here, once, since it can be reflected to the user in messages/etc. + #Only text is valid. + webapp = util.sanitize_text(webapp) if kwd.get( 'login_button', False ): if webapp == 'galaxy' and not refresh_frames: if trans.app.config.require_login: diff -r 327632b4f9992b2c3f4b9c6f705bed1f4e05914d -r 36ca2ecd42fdbc581b0caa253b66a136aa0f848a templates/user/login.mako --- a/templates/user/login.mako +++ b/templates/user/login.mako @@ -30,7 +30,7 @@ %if redirect_url: <script type="text/javascript"> - top.location.href = '${redirect_url}'; + top.location.href = '${redirect_url | h}'; </script> %endif @@ -81,9 +81,9 @@ <form name="login" id="login" action="${form_action}" method="post" ><div class="form-row"><label>Email address:</label> - <input type="text" name="email" value="${email}" size="40"/> - <input type="hidden" name="webapp" value="${webapp}" size="40"/> - <input type="hidden" name="redirect" value="${redirect}" size="40"/> + <input type="text" name="email" value="${email | h}" size="40"/> + <input type="hidden" name="webapp" value="${webapp | h}" size="40"/> + <input type="hidden" name="redirect" value="${redirect | h}" size="40"/></div><div class="form-row"><label>Password:</label> @@ -107,8 +107,8 @@ <div class="form-row"><label>OpenID URL:</label><input type="text" name="openid_url" size="60" style="background-image:url('${h.url_for( '/static/images/openid-16x16.gif' )}' ); background-repeat: no-repeat; padding-right: 20px; background-position: 99% 50%;"/> - <input type="hidden" name="webapp" value="${webapp}" size="40"/> - <input type="hidden" name="redirect" value="${redirect}" size="40"/> + <input type="hidden" name="webapp" value="${webapp | h}" size="40"/> + <input type="hidden" name="redirect" value="${redirect | h}" size="40"/></div><div class="form-row"> Or, authenticate with your <select name="openid_provider"> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.