Commits

Nate Coraor committed 8c30e91 Merge

Apply 2014.07.30 security fix to release_2014.06.02

  • Participants
  • Parent commits d3b1f48, 96e2b84
  • Branches stable

Comments (0)

Files changed (3)

 26f58e05aa1068761660681583821e21e6cbf7ab release_2013.11.04
 5e605ed6069fe4c5ca9875e95e91b2713499e8ca release_2014.02.10
 9e53251b0b7e93b9563008a2b112f2e815a04bbc release_2014.04.14
-68a8b0397947c732b28207d465d3f3c4e2a7a8a0 latest_2014.04.14
 7e257c7b10badb65772b1528cb61d58175a42e47 release_2014.06.02
 8a863a311a6c9f14b302799bffcf94df9186fef7 latest_2014.06.02
+9661b9d5d5b330483ae3ad2236410e0efaa7c500 latest_2014.04.14
+6b0bd93038a843b1585155f0d63f0eea2459c70b latest_2013.01.13
+3e62060b14b9afc46f8e0ec02e1a4500d77db9e1 latest_2013.02.08
+425009b3ff4d8b67d2812253b221f3c4f4a8d1e3 latest_2013.04.01
+9713d86392ef985ffcdc39ff0c8ddf51a1f9ce47 latest_2013.06.03
+9ed84cd208e07e8985ec917cb025fcbbb09edcfb latest_2013.08.12
+81fbe25bd02edcd53065e8e4476dd1dfb5a72cf2 latest_2013.11.04
+2a756ca2cb1826db7796018e77d12e2dd7b67603 latest_2014.02.10

File lib/galaxy/util/__init__.py

 
 
 def object_to_string( obj ):
-    return binascii.hexlify( pickle.dumps( obj, 2 ) )
+    return binascii.hexlify( obj )
 
 def string_to_object( s ):
-    return pickle.loads( binascii.unhexlify( s ) )
+    return binascii.unhexlify( s )
 
 def compare_urls( url1, url2, compare_scheme=True, compare_hostname=True, compare_path=True ):
     url1 = urlparse( url1 )

File lib/galaxy/webapps/galaxy/controllers/ucsc_proxy.py

 from galaxy.web.base.controller import *
 
 import sys
+import json
 from galaxy import web, util
 
 import re, urllib, logging
         try:
             store = params.get("__GALAXY__", None)
             if store:
-                store = util.string_to_object(store)
+                store = json.loads(util.string_to_object(store))
             else:
                 store = {}
             UCSC_URL = 'UCSC_URL'
 
                 # Serialize store into a form element
                 store_text = "<INPUT TYPE=\"HIDDEN\" NAME=\"__GALAXY__\" ID=\"__GALAXY__\" VALUE=\"" \
-                             + util.object_to_string(store) + "\" \>"
+                             + json.dumps(util.object_to_string(store)) + "\" \>"
 
                 # Remove text regions that should not be exposed
                 for key,value in altered_regions.items():