lp://staging/~wgrant/loggerhead/bug-740142

Branch merges

Propose for merging

No branches dependent on this one.

Merged into lp://staging/loggerhead at revision 442

Robert Collins: Approve on 2011-03-23

Diff: 247 lines (+96/-21)

6 files modified

loggerhead/controllers/view_ui.py (+1/-2)
loggerhead/templatefunctions.py (+20/-12)
loggerhead/tests/__init__.py (+1/-0)
loggerhead/tests/test_simple.py (+7/-3)
loggerhead/tests/test_util.py (+33/-0)
loggerhead/util.py (+34/-4)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Bug #740142: persistent xss vector in (unescaped) filenames in revision views

Critical

Fix Released

Link a bug report

Related blueprints

448. By William Grant on 2011-03-23

Use str.replace instead of lots of dict lookups.

447. By William Grant on 2011-03-23

Add forgotten test_util.

446. By William Grant on 2011-03-23

Use html_format wherever possible.

445. By William Grant on 2011-03-23

add html_format, taking a format string and escaping arguments as they are inserted.

444. By William Grant on 2011-03-23

Test that filenames don't show up on /revision/N unescaped.

443. By William Grant on 2011-03-23

Use html_escape everywhere, escape a couple more places, and properly URL-encode filenames.

442. By William Grant on 2011-03-23

Add an html_escape function, like cgi.escape except useful for attribute values too.

441. By John A Meinel on 2011-03-19

include HeadMiddleware so that we can be sure HEAD requests never return BODY content.

440. By John A Meinel on 2011-03-18

Remove loggers that weren't being used (maxb, spiv)

439. By John A Meinel on 2011-03-16

Merge the page-loading change.

When /changes page is loaded, don't walk the whole ancestry during 'get_revids_from'.
Instead, only walk enough history to generate the actual page, plus a little bit more
to get the link for the 'next' page.