|
Orion Poplawski |
d75e4d6 |
From 3ab41641cf6fce3860c73d5cf4645aa12e1e5892 Mon Sep 17 00:00:00 2001
|
|
Orion Poplawski |
d75e4d6 |
From: Matthias Bussonnier <bussonniermatthias@gmail.com>
|
|
Orion Poplawski |
d75e4d6 |
Date: Tue, 1 Sep 2015 16:29:25 +0200
|
|
Orion Poplawski |
d75e4d6 |
Subject: [PATCH] Fix XSS reported on Security list
|
|
Orion Poplawski |
d75e4d6 |
MIME-Version: 1.0
|
|
Orion Poplawski |
d75e4d6 |
Content-Type: text/plain; charset=UTF-8
|
|
Orion Poplawski |
d75e4d6 |
Content-Transfer-Encoding: 8bit
|
|
Orion Poplawski |
d75e4d6 |
|
|
Orion Poplawski |
d75e4d6 |
No CVE-ID yet
|
|
Orion Poplawski |
d75e4d6 |
|
|
Orion Poplawski |
d75e4d6 |
August 18, 2015
|
|
Orion Poplawski |
d75e4d6 |
-----
|
|
Orion Poplawski |
d75e4d6 |
Reported to Quantopian by Juan Broullón <thebrowfc@gmail.com>...
|
|
Orion Poplawski |
d75e4d6 |
|
|
Orion Poplawski |
d75e4d6 |
If you create a new folder in the iPython file browser and set
|
|
Orion Poplawski |
d75e4d6 |
Javascript code as its name the code injected will be executed. So, if I
|
|
Orion Poplawski |
d75e4d6 |
create a folder called "> and
|
|
Orion Poplawski |
d75e4d6 |
then I access to it, the cookies will be prompted.
|
|
Orion Poplawski |
d75e4d6 |
|
|
Orion Poplawski |
d75e4d6 |
The XSS code is also executed if you access a link pointing directly at
|
|
Orion Poplawski |
d75e4d6 |
the folder.
|
|
Orion Poplawski |
d75e4d6 |
|
|
Orion Poplawski |
d75e4d6 |
jik
|
|
Orion Poplawski |
d75e4d6 |
------
|
|
Orion Poplawski |
d75e4d6 |
---
|
|
Orion Poplawski |
d75e4d6 |
IPython/html/notebookapp.py | 4 +++-
|
|
Orion Poplawski |
d75e4d6 |
1 file changed, 3 insertions(+), 1 deletion(-)
|
|
Orion Poplawski |
d75e4d6 |
|
|
Orion Poplawski |
d75e4d6 |
diff --git a/IPython/html/notebookapp.py b/IPython/html/notebookapp.py
|
|
Orion Poplawski |
d75e4d6 |
index 0464144..094812b 100644
|
|
Orion Poplawski |
d75e4d6 |
--- a/IPython/html/notebookapp.py
|
|
Orion Poplawski |
d75e4d6 |
+++ b/IPython/html/notebookapp.py
|
|
Orion Poplawski |
d75e4d6 |
@@ -158,7 +158,9 @@ def init_settings(self, ipython_app, kernel_manager, contents_manager,
|
|
Orion Poplawski |
d75e4d6 |
_template_path = (_template_path,)
|
|
Orion Poplawski |
d75e4d6 |
template_path = [os.path.expanduser(path) for path in _template_path]
|
|
Orion Poplawski |
d75e4d6 |
|
|
Orion Poplawski |
d75e4d6 |
- jenv_opt = jinja_env_options if jinja_env_options else {}
|
|
Orion Poplawski |
d75e4d6 |
+ jenv_opt = {"autoescape": True}
|
|
Orion Poplawski |
d75e4d6 |
+ jenv_opt.update(jinja_env_options if jinja_env_options else {})
|
|
Orion Poplawski |
d75e4d6 |
+
|
|
Orion Poplawski |
d75e4d6 |
env = Environment(loader=FileSystemLoader(template_path), **jenv_opt)
|
|
Orion Poplawski |
d75e4d6 |
|
|
Orion Poplawski |
d75e4d6 |
sys_info = get_sys_info()
|