security fixes

CHANGES.txt

@@ -1,6 +1,11 @@
 This file contains the changes to the Roundup system over time. The entries
 are given with the most recent entry first.
 
+2008-03-01 1.4.4
+Fixed:
+- Security fixes (thanks Roland Meister)
+
+
 2008-02-27 1.4.3
 Fixed:
 - MySQL backend bug introduced in 1.4.2 (TEXT columns need a size when

doc/announcement.txt

@@ -1,8 +1,7 @@
-I'm proud to release version 1.4.3 of Roundup.
+I'm proud to release version 1.4.4 of Roundup.
 
-Just one bug was fixed in 1.4.3:
-
-- MySQL backend bug introduced in 1.4.2
+1.4.4 is a security fix release. All installations of Roundup are strongly
+encouraged to update.
 
 If you're upgrading from an older version of Roundup you *must* follow
 the "Software Upgrade" guidelines given in the maintenance documentation.

doc/index.txt

@@ -130,6 +130,7 @@ Will Maier,
 Georges Martin,
 Gordon McMillan,
 John F Meinel Jr,
+Roland Meister,
 Ulrik Mikaelsson,
 John Mitchell,
 Ramiro Morales,

roundup/__init__.py

@@ -15,7 +15,7 @@
 # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE,
 # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
 #
-# $Id: __init__.py,v 1.50 2008-02-27 08:32:50 richard Exp $
+# $Id: __init__.py,v 1.51 2008-03-01 08:18:06 richard Exp $
 
 '''Roundup - issue tracking for knowledge workers.
 
@@ -68,6 +68,6 @@
 '''
 __docformat__ = 'restructuredtext'
 
-__version__ = '1.4.3'
+__version__ = '1.4.4'
 
 # vim: set filetype=python ts=4 sw=4 et si

roundup/cgi/templating.py

@@ -878,7 +878,7 @@ def history(self, direction='descending', dre=re.compile('^\d+$')):
             prop = self[prop_n]
             if not isinstance(prop, HTMLProperty):
                 continue
-            current[prop_n] = prop.plain()
+            current[prop_n] = prop.plain(escape=1)
             # make link if hrefable
             if (self._props.has_key(prop_n) and
                     isinstance(self._props[prop_n], hyperdb.Link)):
@@ -979,6 +979,7 @@ def history(self, direction='descending', dre=re.compile('^\d+$')):
                                     if labelprop is not None and \
                                             labelprop != 'id':
                                         label = linkcl.get(linkid, labelprop)
+                                        label = cgi.escape(label)
                                 except IndexError:
                                     comments['no_link'] = self._(
                                         "<strike>The linked node"
@@ -1002,7 +1003,8 @@ def history(self, direction='descending', dre=re.compile('^\d+$')):
                         # there's no labelprop!
                         if labelprop is not None and labelprop != 'id':
                             try:
-                                label = linkcl.get(args[k], labelprop)
+                                label = cgi.escape(linkcl.get(args[k],
+                                    labelprop))
                             except IndexError:
                                 comments['no_link'] = self._(
                                     "<strike>The linked node"
@@ -1012,7 +1014,8 @@ def history(self, direction='descending', dre=re.compile('^\d+$')):
                                 label = None
                         if label is not None:
                             if hrefable:
-                                old = '<a href="%s%s">%s</a>'%(classname, args[k], label)
+                                old = '<a href="%s%s">%s</a>'%(classname,
+                                    args[k], label)
                             else:
                                 old = label;
                             cell.append('%s: %s' % (self._(k), old))
@@ -1369,7 +1372,7 @@ def field(self, **kwargs):
             If not editable, just display the value via plain().
         """
         if not self.is_edit_ok():
-            return self.plain()
+            return self.plain(escape=1)
 
         value = self._value
         if value is None:
@@ -1423,7 +1426,7 @@ def email(self, escape=1):
         return value
 
 class PasswordHTMLProperty(HTMLProperty):
-    def plain(self):
+    def plain(self, escape=0):
         """ Render a "plain" representation of the property
         """
         if not self.is_view_ok():
@@ -1439,7 +1442,7 @@ def field(self, size=30):
             If not editable, just display the value via plain().
         """
         if not self.is_edit_ok():
-            return self.plain()
+            return self.plain(escape=1)
 
         return self.input(type="password", name=self._formname, size=size)
 
@@ -1459,7 +1462,7 @@ def confirm(self, size=30):
             size=size)
 
 class NumberHTMLProperty(HTMLProperty):
-    def plain(self):
+    def plain(self, escape=0):
         """ Render a "plain" representation of the property
         """
         if not self.is_view_ok():
@@ -1476,7 +1479,7 @@ def field(self, size=30):
             If not editable, just display the value via plain().
         """
         if not self.is_edit_ok():
-            return self.plain()
+            return self.plain(escape=1)
 
         value = self._value
         if value is None:
@@ -1496,7 +1499,7 @@ def __float__(self):
 
 
 class BooleanHTMLProperty(HTMLProperty):
-    def plain(self):
+    def plain(self, escape=0):
         """ Render a "plain" representation of the property
         """
         if not self.is_view_ok():
@@ -1512,7 +1515,7 @@ def field(self):
             If not editable, just display the value via plain().
         """
         if not self.is_edit_ok():
-            return self.plain()
+            return self.plain(escape=1)
 
         value = self._value
         if isinstance(value, str) or isinstance(value, unicode):
@@ -1549,7 +1552,7 @@ def __init__(self, client, classname, nodeid, prop, name, value,
         if self._offset is None :
             self._offset = self._prop.offset (self._db)
 
-    def plain(self):
+    def plain(self, escape=0):
         """ Render a "plain" representation of the property
         """
         if not self.is_view_ok():
@@ -1600,7 +1603,7 @@ def field(self, size=30, default=None, format=_marker, popcal=True):
         """
         if not self.is_edit_ok():
             if format is self._marker:
-                return self.plain()
+                return self.plain(escape=1)
             else:
                 return self.pretty(format)
 
@@ -1720,7 +1723,7 @@ def __init__(self, client, classname, nodeid, prop, name, value,
         if self._value and not isinstance(self._value, (str, unicode)):
             self._value.setTranslator(self._client.translator)
 
-    def plain(self):
+    def plain(self, escape=0):
         """ Render a "plain" representation of the property
         """
         if not self.is_view_ok():
@@ -1744,7 +1747,7 @@ def field(self, size=30):
             If not editable, just display the value via plain().
         """
         if not self.is_edit_ok():
-            return self.plain()
+            return self.plain(escape=1)
 
         value = self._value
         if value is None:
@@ -1806,7 +1809,7 @@ def field(self, showid=0, size=None):
             If not editable, just display the value via plain().
         """
         if not self.is_edit_ok():
-            return self.plain()
+            return self.plain(escape=1)
 
         # edit field
         linkcl = self._db.getclass(self._prop.classname)
@@ -1842,7 +1845,7 @@ def menu(self, size=None, height=None, showid=0, additional=[], value=None,
             If not editable, just display the value via plain().
         """
         if not self.is_edit_ok():
-            return self.plain()
+            return self.plain(escape=1)
 
         if value is None:
             value = self._value
@@ -1999,7 +2002,7 @@ def field(self, size=30, showid=0):
             If not editable, just display the value via plain().
         """
         if not self.is_edit_ok():
-            return self.plain()
+            return self.plain(escape=1)
 
         linkcl = self._db.getclass(self._prop.classname)
         value = self._value[:]
@@ -2034,7 +2037,7 @@ def menu(self, size=None, height=None, showid=0, additional=[],
             If not editable, just display the value via plain().
         """
         if not self.is_edit_ok():
-            return self.plain()
+            return self.plain(escape=1)
 
         if value is None:
             value = self._value

setup.py

@@ -16,7 +16,7 @@
 # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE,
 # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
 #
-# $Id: setup.py,v 1.101 2008-02-27 20:57:56 richard Exp $
+# $Id: setup.py,v 1.102 2008-03-01 08:18:06 richard Exp $
 
 from distutils.core import setup, Extension
 from distutils.util import get_platform
@@ -352,9 +352,8 @@ def main():
 '''In this release
 ===============
 
-Just one bug was fixed in 1.4.3:
-
-- MySQL backend bug introduced in 1.4.2
+1.4.4 is a security fix release. All installations of Roundup are strongly
+encouraged to update.
 
 If you're upgrading from an older version of Roundup you *must* follow
 the "Software Upgrade" guidelines given in the maintenance documentation.

templates/classic/html/_generic.help-list.html

@@ -1,4 +1,4 @@
-<!-- $Id: _generic.help-list.html,v 1.1 2006-09-18 00:03:02 tobias-herp Exp $ vim: sw=2 ts=8 et
+<!-- $Id: _generic.help-list.html,v 1.2 2008-03-01 08:18:07 richard Exp $ vim: sw=2 ts=8 et
 --><html tal:define="vok context/is_view_ok">
   <head>
     <title>Search result for user helper</title>
@@ -64,7 +64,7 @@
              <td tal:repeat="prop props">
                  <label class="classhelp-label"
                         tal:attributes="for string:id_$attr"
-                        tal:content="structure python:item[prop]"></label>
+                        tal:content="python:item[prop]"></label>
              </td>
            </tal:block>
          </tr>

templates/classic/html/_generic.help.html

@@ -83,7 +83,7 @@
              <td tal:repeat="prop props">
                  <label class="classhelp-label"
                         tal:attributes="for string:id_$attr"
-                        tal:content="structure python:item[prop]"></label>
+                        tal:content="python:item[prop]"></label>
              </td>
            </tal:block>
        </tr>

templates/classic/html/page.html

@@ -144,7 +144,7 @@ <h2><span metal:define-slot="body_title">body title</span></h2>
 
   <p class="userblock" tal:condition="python:request.user.username != 'anonymous'">
    <b i18n:translate="">Hello, <span i18n:name="user"
-    tal:replace="request/user/username">username</span></b><br>
+    tal:replace="python:request.user.username.plain(escape=1)">username</span></b><br>
     <a href="#"
        tal:attributes="href python:request.indexargs_url('issue', {
       '@sort': '-activity',

templates/minimal/html/_generic.help.html

@@ -83,7 +83,7 @@
              <td tal:repeat="prop props">
                  <label class="classhelp-label"
                         tal:attributes="for string:id_$attr"
-                        tal:content="structure python:item[prop]"></label>
+                        tal:content="python:item[prop]"></label>
              </td>
            </tal:block>
        </tr>

templates/minimal/html/page.html

@@ -143,7 +143,7 @@ <h2><span metal:define-slot="body_title">body title</span></h2>
 
   <p class="userblock" tal:condition="python:request.user.username != 'anonymous'">
    <b i18n:translate="">Hello, <span i18n:name="user"
-    tal:replace="request/user/username">username</span></b><br>
+    tal:replace="python:request.user.username.plain(escape=1)">username</span></b><br>
    <a href="#" tal:attributes="href string:user${request/user/id}"
     i18n:translate="">Your Details</a><br>
    <a href="#" tal:attributes="href python:request.indexargs_url('',