Browse Source

pkg/context: apply EscapePound at context level

Always escape template variable {{.Link}} variable and  redirect calls.

Relates to #5442
pull/5446/head
Unknwon 6 years ago
parent
commit
0d66b1cc1c
No known key found for this signature in database
GPG Key ID: 25B575AE3213B2B3
  1. 2
      gogs.go
  2. 16
      pkg/context/context.go
  3. 4
      pkg/template/template.go
  4. 2
      routes/repo/editor.go
  5. 2
      templates/.VERSION
  6. 2
      templates/repo/issue/new_form.tmpl
  7. 2
      templates/repo/settings/protected_branch.tmpl
  8. 2
      templates/repo/wiki/new.tmpl

2
gogs.go

@ -16,7 +16,7 @@ import (
"github.com/gogs/gogs/pkg/setting" "github.com/gogs/gogs/pkg/setting"
) )
const APP_VER = "0.11.67.0928" const APP_VER = "0.11.68.0928"
func init() { func init() {
setting.AppVer = APP_VER setting.AppVer = APP_VER

16
pkg/context/context.go

@ -6,7 +6,6 @@ package context
import ( import (
"fmt" "fmt"
"html/template"
"io" "io"
"net/http" "net/http"
"path" "path"
@ -26,6 +25,7 @@ import (
"github.com/gogs/gogs/pkg/auth" "github.com/gogs/gogs/pkg/auth"
"github.com/gogs/gogs/pkg/form" "github.com/gogs/gogs/pkg/form"
"github.com/gogs/gogs/pkg/setting" "github.com/gogs/gogs/pkg/setting"
"github.com/gogs/gogs/pkg/template"
) )
// Context represents context of a request. // Context represents context of a request.
@ -138,10 +138,16 @@ func (c *Context) JSONSuccess(data interface{}) {
c.JSON(http.StatusOK, data) c.JSON(http.StatusOK, data)
} }
// Redirect responses redirection wtih given location and status.
// It escapes special characters in the location string.
func (c *Context) Redirect(location string, status ...int) {
c.Context.Redirect(template.EscapePound(location), status...)
}
// SubURLRedirect responses redirection wtih given location and status. // SubURLRedirect responses redirection wtih given location and status.
// It prepends setting.AppSubURL to the location string. // It prepends setting.AppSubURL to the location string.
func (c *Context) SubURLRedirect(location string, status ...int) { func (c *Context) SubURLRedirect(location string, status ...int) {
c.Redirect(setting.AppSubURL + location) c.Redirect(setting.AppSubURL+location, status...)
} }
// RenderWithErr used for page has form validation but need to prompt error to users. // RenderWithErr used for page has form validation but need to prompt error to users.
@ -227,7 +233,7 @@ func Contexter() macaron.Handler {
}, },
Org: &Organization{}, Org: &Organization{},
} }
c.Data["Link"] = c.Link c.Data["Link"] = template.EscapePound(c.Link)
c.Data["PageStartTime"] = time.Now() c.Data["PageStartTime"] = time.Now()
// Quick responses appropriate go-get meta with status 200 // Quick responses appropriate go-get meta with status 200
@ -296,13 +302,13 @@ func Contexter() macaron.Handler {
// If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid. // If request sends files, parse them here otherwise the Query() can't be parsed and the CsrfToken will be invalid.
if c.Req.Method == "POST" && strings.Contains(c.Req.Header.Get("Content-Type"), "multipart/form-data") { if c.Req.Method == "POST" && strings.Contains(c.Req.Header.Get("Content-Type"), "multipart/form-data") {
if err := c.Req.ParseMultipartForm(setting.AttachmentMaxSize << 20); err != nil && !strings.Contains(err.Error(), "EOF") { // 32MB max size if err := c.Req.ParseMultipartForm(setting.AttachmentMaxSize << 20); err != nil && !strings.Contains(err.Error(), "EOF") { // 32MB max size
c.Handle(500, "ParseMultipartForm", err) c.ServerError("ParseMultipartForm", err)
return return
} }
} }
c.Data["CSRFToken"] = x.GetToken() c.Data["CSRFToken"] = x.GetToken()
c.Data["CSRFTokenHTML"] = template.HTML(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`) c.Data["CSRFTokenHTML"] = template.Safe(`<input type="hidden" name="_csrf" value="` + x.GetToken() + `">`)
log.Trace("Session ID: %s", sess.ID()) log.Trace("Session ID: %s", sess.ID())
log.Trace("CSRF Token: %v", c.Data["CSRFToken"]) log.Trace("CSRF Token: %v", c.Data["CSRFToken"])

4
pkg/template/template.go

@ -64,7 +64,7 @@ func NewFuncMap() []template.FuncMap {
"AppendAvatarSize": tool.AppendAvatarSize, "AppendAvatarSize": tool.AppendAvatarSize,
"Safe": Safe, "Safe": Safe,
"Sanitize": bluemonday.UGCPolicy().Sanitize, "Sanitize": bluemonday.UGCPolicy().Sanitize,
"Str2html": Str2html, "Str2html": Str2HTML,
"NewLine2br": NewLine2br, "NewLine2br": NewLine2br,
"TimeSince": tool.TimeSince, "TimeSince": tool.TimeSince,
"RawTimeSince": tool.RawTimeSince, "RawTimeSince": tool.RawTimeSince,
@ -127,7 +127,7 @@ func Safe(raw string) template.HTML {
return template.HTML(raw) return template.HTML(raw)
} }
func Str2html(raw string) template.HTML { func Str2HTML(raw string) template.HTML {
return template.HTML(markup.Sanitize(raw)) return template.HTML(markup.Sanitize(raw))
} }

2
routes/repo/editor.go

@ -286,7 +286,7 @@ func editFilePost(c *context.Context, f form.EditRepoFile, isNewFile bool) {
if f.IsNewBrnach() && c.Repo.PullRequest.Allowed { if f.IsNewBrnach() && c.Repo.PullRequest.Allowed {
c.Redirect(c.Repo.PullRequestURL(oldBranchName, f.NewBranchName)) c.Redirect(c.Repo.PullRequestURL(oldBranchName, f.NewBranchName))
} else { } else {
c.Redirect(c.Repo.RepoLink + "/src/" + branchName + "/" + template.EscapePound(f.TreePath)) c.Redirect(c.Repo.RepoLink + "/src/" + branchName + "/" + f.TreePath)
} }
} }

2
templates/.VERSION

@ -1 +1 @@
0.11.67.0928 0.11.68.0928

2
templates/repo/issue/new_form.tmpl

@ -1,4 +1,4 @@
<form class="ui comment form grid" action="{{EscapePound .Link}}" method="post"> <form class="ui comment form grid" action="{{.Link}}" method="post">
{{.CSRFTokenHTML}} {{.CSRFTokenHTML}}
{{if .Flash}} {{if .Flash}}
<div class="sixteen wide column"> <div class="sixteen wide column">

2
templates/repo/settings/protected_branch.tmpl

@ -11,7 +11,7 @@
</h4> </h4>
<div class="ui attached segment branch-protection"> <div class="ui attached segment branch-protection">
<p>{{.i18n.Tr "repo.settings.branch_protection_desc" .Branch.Name | Str2html}}</p> <p>{{.i18n.Tr "repo.settings.branch_protection_desc" .Branch.Name | Str2html}}</p>
<form class="ui form" action="{{EscapePound .Link}}" method="post"> <form class="ui form" action="{{.Link}}" method="post">
{{.CSRFTokenHTML}} {{.CSRFTokenHTML}}
<div class="inline field"> <div class="inline field">
<div class="ui checkbox"> <div class="ui checkbox">

2
templates/repo/wiki/new.tmpl

@ -11,7 +11,7 @@
</div> </div>
{{end}} {{end}}
</div> </div>
<form class="ui form" action="{{EscapePound .Link}}" method="post"> <form class="ui form" action="{{.Link}}" method="post">
{{.CSRFTokenHTML}} {{.CSRFTokenHTML}}
<input type="hidden" name="old_title" value="{{.old_title}}"> <input type="hidden" name="old_title" value="{{.old_title}}">
<div class="field {{if .Err_Title}}error{{end}}"> <div class="field {{if .Err_Title}}error{{end}}">

Loading…
Cancel
Save