Commit 8df44a4c authored by Francisco Juan's avatar Francisco Juan

Merge commit 'v1.5.4'

parents e7a3230f b2bbc1cb
= ChiliProject changelog
== 2011-10-31 v1.5.4
* Bug #647: XSS: User input for images is not properly sanitized
== 2011-10-04 v1.5.3
* Bug #619: Redmine.pm allows anonymous read access to repositories even if Anonymous role prohibits it
== 2011-08-01 v1.5.2
* Bug #547: Multiple XSS vulnerabilities
......@@ -1520,7 +1528,7 @@ Note: Previous versions referred to Redmine, which ChiliProject forked from in D
* simple SVN browser added (just needs svn binaries in PATH)
* comments can now be added on news
* "my page" is now customizable
* "my page" is now customizable
* more powerfull and savable filters for issues lists
* improved issues change history
* new functionality: move an issue to another project or tracker
......@@ -1559,7 +1567,7 @@ Note: Previous versions referred to Redmine, which ChiliProject forked from in D
* token based "lost password" functionality
* user self-registration functionality (optional)
* custom fields now available for issues, users and projects
* new custom field format "text" (displayed as a textarea field)
* new custom field format "text" (displayed as a textarea field)
* project & administration drop down menus in navigation bar for quicker access
* text formatting is preserved for long text fields (issues, projects and news descriptions)
* urls and emails are turned into clickable links in long text fields
......
......@@ -318,7 +318,7 @@ sub access_handler {
my $project_id = get_project_identifier($r);
$r->set_handlers(PerlAuthenHandler => [\&OK])
if is_public_project($project_id, $r);
if is_public_project($project_id, $r) && anonymous_role_allows_browse_repository($r);
return OK
}
......@@ -390,6 +390,29 @@ sub is_public_project {
$ret;
}
sub anonymous_role_allows_browse_repository {
my $r = shift;
my $dbh = connect_database($r);
my $sth = $dbh->prepare(
"SELECT permissions FROM roles WHERE builtin = 2;"
);
$sth->execute();
my $ret = 0;
if (my @row = $sth->fetchrow_array) {
if ($row[0] =~ /:browse_repository/) {
$ret = 1;
}
}
$sth->finish();
undef $sth;
$dbh->disconnect();
undef $dbh;
$ret;
}
# perhaps we should use repository right (other read right) to check public access.
# it could be faster BUT it doesn't work for the moment.
# sub is_public_project_by_file {
......
......@@ -936,7 +936,7 @@ class RedCloth3 < String
stln,algn,atts,url,title,href,href_a1,href_a2 = $~[1..8]
htmlesc title
atts = pba( atts )
atts = " src=\"#{ url }\"#{ atts }"
atts = " src=\"#{ htmlesc url.dup }\"#{ atts }"
atts << " title=\"#{ title }\"" if title
atts << " alt=\"#{ title }\""
# size = @getimagesize($url);
......
......@@ -4,9 +4,9 @@ module Redmine
module VERSION #:nodoc:
MAJOR = 1
MINOR = 5
PATCH = 2
PATCH = 4
TINY = PATCH # Redmine compat
def self.revision
revision = nil
entries_path = "#{RAILS_ROOT}/.svn/entries"
......@@ -31,9 +31,9 @@ module Redmine
REVISION = self.revision
ARRAY = [MAJOR, MINOR, PATCH, REVISION].compact
STRING = ARRAY.join('.')
def self.to_a; ARRAY end
def self.to_s; STRING end
def self.to_s; STRING end
def self.to_semver
[MAJOR, MINOR, PATCH].join('.')
end
......
......@@ -85,7 +85,15 @@ class Redmine::WikiFormatting::TextileFormatterTest < HelperTestCase
'GPL(This is a double-quoted "title")' => '<acronym title="This is a double-quoted &quot;title&quot;">GPL</acronym>'
)
end
def test_textile_should_escape_image_urls
# this is onclick="alert('XSS');" in encoded form
raw = '!/images/comment.png"onclick=&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x58;&#x53;&#x53;&#x27;&#x29;;&#x22;!'
expected = '<img src="/images/comment.png&quot;onclick=&amp;#x61;&amp;#x6c;&amp;#x65;&amp;#x72;&amp;#x74;&amp;#x28;&amp;#x27;&amp;#x58;&amp;#x53;&amp;#x53;&amp;#x27;&amp;#x29;;&amp;#x22;" alt="" />'
assert_html_output(raw => expected)
end
private
def assert_html_output(to_test)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment