From 0217eaad8d4252d944df6c904eca546bb4a642ac Mon Sep 17 00:00:00 2001 From: Ben Kurtovic Date: Thu, 26 Jul 2012 00:10:55 -0400 Subject: [PATCH] Some escapes to close potential security, plus a couple bugfixes. --- pages/copyvios.mako | 16 ++++++++-------- pages/settings.mako | 8 ++++---- toolserver/cookies.py | 2 +- toolserver/copyvios/highlighter.py | 2 ++ 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/pages/copyvios.mako b/pages/copyvios.mako index 56efa3f..f1517ca 100644 --- a/pages/copyvios.mako +++ b/pages/copyvios.mako @@ -4,7 +4,7 @@ <% query, bot, all_langs, all_projects, page, result = main(environ) %> % if query.project and query.lang and query.title and not page:
-

The given site (project=${query.project}, language=${query.lang}) doesn't seem to exist. It may also be closed or private. Confirm its URL.

+

The given site (project=${query.project | h}, language=${query.lang | h}) doesn't seem to exist. It may also be closed or private. Confirm its URL.

% elif query.project and query.lang and query.title and page and not result:
@@ -23,9 +23,9 @@ <% selected_lang = query.orig_lang if query.orig_lang else cookies["EarwigDefaultLang"].value if "EarwigDefaultLang" in cookies else bot.wiki.get_site().lang %> % for code, name in all_langs: % if code == selected_lang: - + % else: - + % endif % endfor @@ -34,9 +34,9 @@ <% selected_project = query.project if query.project else cookies["EarwigDefaultProject"].value if "EarwigDefaultProject" in cookies else bot.wiki.get_site().project %> % for code, name in all_projects: % if code == selected_project: - + % else: - + % endif % endfor @@ -80,16 +80,16 @@
% if result.violation: -

${page.title | h} is a suspected violation of ${result.url | urlstrip}.

+

${page.title | h} is a suspected violation of ${result.url | urlstrip, h}.

% else: -

No violations detected in ${page.title | h}.

+

No violations detected in ${page.title | h}.

% endif
  • ${round(result.confidence * 100, 1)}% confidence of a violation.
  • % if result.cached:
  • Results are cached To save time (and money), this tool will retain the results of checks for up to 72 hours. This includes the URL of the "violated" source, but neither its content nor the content of the article. Future checks on the same page (assuming it remains unchanged) will not involve additional search queries, but a fresh comparison against the source URL will be made. If the page is modified, a new check will be run. - from ${result.cache_time} (${result.cache_age} ago). Bypass the cache.
  • + from ${result.cache_time} (${result.cache_age} ago). Bypass the cache. % else:
  • Results generated in ${round(result.tdiff, 3)} seconds using ${result.queries} queries.
  • % endif diff --git a/pages/settings.mako b/pages/settings.mako index 3eb68ac..4542e78 100644 --- a/pages/settings.mako +++ b/pages/settings.mako @@ -20,9 +20,9 @@ <% selected_lang = cookies["EarwigDefaultLang"].value if "EarwigDefaultLang" in cookies else bot.wiki.get_site().lang %> % for code, name in langs: % if code == selected_lang: - + % else: - + % endif % endfor @@ -31,9 +31,9 @@ <% selected_project = cookies["EarwigDefaultProject"].value if "EarwigDefaultProject" in cookies else bot.wiki.get_site().project %> % for code, name in projects: % if code == selected_project: - + % else: - + % endif % endfor diff --git a/toolserver/cookies.py b/toolserver/cookies.py index 2a84c2a..1a86cc7 100644 --- a/toolserver/cookies.py +++ b/toolserver/cookies.py @@ -12,7 +12,7 @@ class _CookieManager(SimpleCookie): self._path = path.split(environ["PATH_INFO"])[0] try: super(_CookieManager, self).__init__(environ["HTTP_COOKIE"]) - except (CookieError, AttributeError): + except (CookieError, KeyError): super(_CookieManager, self).__init__() for cookie in self.keys(): if self[cookie].value is False: diff --git a/toolserver/copyvios/highlighter.py b/toolserver/copyvios/highlighter.py index 0c0b17e..00a4d69 100644 --- a/toolserver/copyvios/highlighter.py +++ b/toolserver/copyvios/highlighter.py @@ -2,6 +2,8 @@ from re import sub, UNICODE +# TODO: escape if input contains pseudo-HTML + def highlight_delta(context, chain, delta): processed = [] prev_prev = prev = chain.START