Roundup Tracker - Issues

Message5113

Author ezio.melotti
Recipients ber, ezio.melotti, r.david.murray, schlatterbeck
Date 2014-07-07.15:57:46
Message-id <1404748667.97.0.474031338361.issue2550847@psf.upfronthosting.co.za>
In-reply-to 
This issue is similar to issue2550836.
We have a detector that prevents closing an issue if it has open
dependencies:
http://hg.python.org/tracker/python-dev/file/b9748aeeecd8/detectors/statusauditor.py#l40
This is done by raising a ValueError with a message that contains an
HTML link.

AFAIU, this ValueError is caught in cgi/actions.py, and the
add_error_message() escapes the HTML included in the message:
http://hg.python.org/tracker/roundup/file/c783a6df3ffe/roundup/cgi/actions.py#l628

This could be fixed easily by adding escape=False (see attached patch).
I verified that this doesn't affect the exploit presented in
issue2550817 (unknown properties are handled elsewhere), however it
seems that the error message could arrive from several different places,
so I'm not entirely sure it's safe to add escape=False.
Can someone more familiar with this code comment?
History
Date User Action Args
2014-07-07 15:57:48ezio.melottisetrecipients: + ezio.melotti, schlatterbeck, ber, r.david.murray
2014-07-07 15:57:47ezio.melottisetmessageid: <1404748667.97.0.474031338361.issue2550847@psf.upfronthosting.co.za>
2014-07-07 15:57:47ezio.melottilinkissue2550847 messages
2014-07-07 15:57:47ezio.melotticreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020