rpms / ipython

Clone
Source Code
GIT

Blame 3ab41641cf6fce3860c73d5cf4645aa12e1e5892.patch

3.0 el5 el6 epel7 epel8 f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f7 f8 f9 fc6 main next rawhide
  1.   f25
  2.   3ab41641cf6fce3860c73d5cf4645aa12e1e5892.patch
Blob History Raw
Orion Poplawski d75e4d6 
From 3ab41641cf6fce3860c73d5cf4645aa12e1e5892 Mon Sep 17 00:00:00 2001
Orion Poplawski d75e4d6 
From: Matthias Bussonnier <bussonniermatthias@gmail.com>
Orion Poplawski d75e4d6 
Date: Tue, 1 Sep 2015 16:29:25 +0200
Orion Poplawski d75e4d6 
Subject: [PATCH] Fix XSS reported on Security list
Orion Poplawski d75e4d6 
MIME-Version: 1.0
Orion Poplawski d75e4d6 
Content-Type: text/plain; charset=UTF-8
Orion Poplawski d75e4d6 
Content-Transfer-Encoding: 8bit
Orion Poplawski d75e4d6
Orion Poplawski d75e4d6 
No CVE-ID yet
Orion Poplawski d75e4d6
Orion Poplawski d75e4d6 
August 18, 2015
Orion Poplawski d75e4d6 
-----
Orion Poplawski d75e4d6 
Reported to Quantopian by Juan Broullón <thebrowfc@gmail.com>...
Orion Poplawski d75e4d6
Orion Poplawski d75e4d6 
If you create a new folder in the iPython file browser and set
Orion Poplawski d75e4d6 
Javascript code as its name the code injected will be executed. So, if I
Orion Poplawski d75e4d6 
create a folder called "> and
Orion Poplawski d75e4d6 
then I access to it, the cookies will be prompted.
Orion Poplawski d75e4d6
Orion Poplawski d75e4d6 
The XSS code is also executed if you access a link pointing directly at
Orion Poplawski d75e4d6 
the folder.
Orion Poplawski d75e4d6
Orion Poplawski d75e4d6 
  jik
Orion Poplawski d75e4d6 
------
Orion Poplawski d75e4d6 
---
Orion Poplawski d75e4d6 
 IPython/html/notebookapp.py | 4 +++-
Orion Poplawski d75e4d6 
 1 file changed, 3 insertions(+), 1 deletion(-)
Orion Poplawski d75e4d6
Orion Poplawski d75e4d6 
diff --git a/IPython/html/notebookapp.py b/IPython/html/notebookapp.py
Orion Poplawski d75e4d6 
index 0464144..094812b 100644
Orion Poplawski d75e4d6 
--- a/IPython/html/notebookapp.py
Orion Poplawski d75e4d6 
+++ b/IPython/html/notebookapp.py
Orion Poplawski d75e4d6 
@@ -158,7 +158,9 @@ def init_settings(self, ipython_app, kernel_manager, contents_manager,
Orion Poplawski d75e4d6 
             _template_path = (_template_path,)
Orion Poplawski d75e4d6 
         template_path = [os.path.expanduser(path) for path in _template_path]
Orion Poplawski d75e4d6
Orion Poplawski d75e4d6 
-        jenv_opt = jinja_env_options if jinja_env_options else {}
Orion Poplawski d75e4d6 
+        jenv_opt = {"autoescape": True}
Orion Poplawski d75e4d6 
+        jenv_opt.update(jinja_env_options if jinja_env_options else {})
Orion Poplawski d75e4d6 
+
Orion Poplawski d75e4d6 
         env = Environment(loader=FileSystemLoader(template_path), **jenv_opt)
Orion Poplawski d75e4d6
Orion Poplawski d75e4d6 
         sys_info = get_sys_info()
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.