Review Request: So master isn't frozen anymore...

Nikita Skovoroda chalkerx at gmail.com
Mon Sep 3 07:58:53 UTC 2012 


> On Sept. 1, 2012, 11:59 p.m., Nikita Skovoroda wrote:
> > filters/bugzilla/bugzilla-filter.cpp, line 40
> > <http://git.reviewboard.kde.org/r/106083/diff/1/?file=78645#file78645line40>
> >
> >     Again, single-quotes here, and no escaping.
> >     Another security bug.
> >     
> >     1) http://malicious.example.com/show-bug.cgi?id=0'evilthings-that-go-into-href-tag
> >     
> >     2) http://malicious.example.com/show-bug.cgi?id=percent-encoded-html-that-goes-into-href-body
> >     
> >     3) http://malicious.example.com/jsonrpc.cgi can just return evil html in the summary.
> >     
> >     And so on.

The first two could be fixed by verifying that bug id is an integer.
The third one needs to be escaped.


- Nikita


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
http://git.reviewboard.kde.org/r/106083/#review18418
-----------------------------------------------------------


On Aug. 19, 2012, 10:29 a.m., Lasath Fernando wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> http://git.reviewboard.kde.org/r/106083/
> -----------------------------------------------------------
> 
> (Updated Aug. 19, 2012, 10:29 a.m.)
> 
> 
> Review request for Telepathy.
> 
> 
> Description
> -------
> 
> Right, so here's a big fat review containing many many things, including all the remaining plugins and a few tweaks to Message.
> 
> As per usual, all the code is in my scratch repo: http://quickgit.kde.org/index.php?p=clones%2Fktp-text-ui%2Ffernando%2Fgsoc.git&a=summary
> 
> Now, I'm going to take a well earned nap.
> 
> 
> Diffs
> -----
> 
>   filters/CMakeLists.txt ee7c23d 
>   filters/bugzilla/CMakeLists.txt PRE-CREATION 
>   filters/bugzilla/bugzilla-filter.h PRE-CREATION 
>   filters/bugzilla/bugzilla-filter.cpp PRE-CREATION 
>   filters/bugzilla/ktptextui_message_filter_bugzilla.desktop PRE-CREATION 
>   filters/highlight/CMakeLists.txt PRE-CREATION 
>   filters/highlight/highlight-filter.h PRE-CREATION 
>   filters/highlight/highlight-filter.cpp PRE-CREATION 
>   filters/highlight/ktptextui_message_filter_highlight.desktop PRE-CREATION 
>   filters/latex/CMakeLists.txt PRE-CREATION 
>   filters/latex/ktp_message_filter_latex_converter.sh PRE-CREATION 
>   filters/latex/ktptextui_message_filter_latex.desktop PRE-CREATION 
>   filters/latex/latex-filter.h PRE-CREATION 
>   filters/latex/latex-filter.cpp PRE-CREATION 
>   filters/pipes/CMakeLists.txt PRE-CREATION 
>   filters/pipes/kcm_ktp_filter_config_pipes.desktop PRE-CREATION 
>   filters/pipes/ktptextui_message_filter_pipes.desktop PRE-CREATION 
>   filters/pipes/pipes-config.h PRE-CREATION 
>   filters/pipes/pipes-config.cpp PRE-CREATION 
>   filters/pipes/pipes-config.ui PRE-CREATION 
>   filters/pipes/pipes-delegate.h PRE-CREATION 
>   filters/pipes/pipes-delegate.cpp PRE-CREATION 
>   filters/pipes/pipes-filter.h PRE-CREATION 
>   filters/pipes/pipes-filter.cpp PRE-CREATION 
>   filters/pipes/pipes-model.h PRE-CREATION 
>   filters/pipes/pipes-model.cpp PRE-CREATION 
>   filters/pipes/pipes-prefs.h PRE-CREATION 
>   filters/pipes/pipes-prefs.cpp PRE-CREATION 
>   filters/pipes/pipes-prefstest.h PRE-CREATION 
>   filters/pipes/pipes-prefstest.cpp PRE-CREATION 
>   filters/substitution/CMakeLists.txt PRE-CREATION 
>   filters/substitution/kcm_ktp_filter_config_substitution.desktop PRE-CREATION 
>   filters/substitution/ktptextui_message_filter_substitution.desktop PRE-CREATION 
>   filters/substitution/substitution-config.h PRE-CREATION 
>   filters/substitution/substitution-config.cpp PRE-CREATION 
>   filters/substitution/substitution-config.ui PRE-CREATION 
>   filters/substitution/substitution-filter.h PRE-CREATION 
>   filters/substitution/substitution-filter.cpp PRE-CREATION 
>   filters/substitution/substitution-prefs.h PRE-CREATION 
>   filters/substitution/substitution-prefs.cpp PRE-CREATION 
>   filters/youtube/CMakeLists.txt PRE-CREATION 
>   filters/youtube/ktptextui_message_filter_youtube.desktop PRE-CREATION 
>   filters/youtube/youtube-filter.h PRE-CREATION 
>   filters/youtube/youtube-filter.cpp PRE-CREATION 
>   lib/abstract-message-filter.h 7b60d48 
>   lib/abstract-message-filter.cpp 2a3a897 
>   lib/message.h ef9530b 
>   lib/message.cpp 6db648e 
>   tests/message-processor-basic-tests.h 7dc99e4 
>   tests/message-processor-basic-tests.cpp 8546605 
> 
> Diff: http://git.reviewboard.kde.org/r/106083/diff/
> 
> 
> Testing
> -------
> 
> Wrote/passed/failed unit tests; talked to myself so much to the point I swear I have mild schizophrenia now. 
> 
> 
> Thanks,
> 
> Lasath Fernando
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-telepathy/attachments/20120903/5e5d43d0/attachment-0001.html>

More information about the KDE-Telepathy mailing list