Commits

Anonymous committed f1fad41

Preparing a new stable release

  • Participants
  • Parent commits 5dfcf3e
  • Branches 0.9-stable
  • Tags trac-0.9.5

Comments (0)

Files changed (6)

+Trac 0.9.5  (Apr 18, 2006)
+http://svn.edgewall.com/repos/trac/tags/trac-0.9.5
+
+ * Fixed wiki macro XSS vulnerability found by Mr. Kazuhiro Nishiyama
+   at InterAct. http://jvn.jp/jp/JVN%2384091359/index.html
+ * Smaller memory usage when accessing subversion history.
+ * Fixed issue with incorrectly generated urls when installed behind a web 
+   proxy (#2531).
+ * Fixed bugs: #2531, #2777, #3020.
+	
 Trac 0.9.4  (Feb 15, 2006)
 http://svn.edgewall.com/repos/trac/tags/trac-0.9.4
 
-Trac 0.9.4 Release Notes
+Trac 0.9.5 Release Notes
 ============================
-Feb 15, 2006
+April 18, 2006
 
-We're proud to present our latest release - Trac 0.9.4.
+We're proud to present our latest release - Trac 0.9.5.
 
 Trac is an enhanced wiki and issue tracking system, integrated with
 Subversion, for software development projects. Trac uses a minimalistic
 
   <http://projects.edgewall.com/trac/>
 
-For questions, comments and user discussions, please use the Trac mailing list
-. List information, subscription and archive available at:
+For questions, comments and user discussions, please use the Trac mailing list.
+List information, subscription and archive available at:
 
   <http://projects.edgewall.com/trac/wiki/MailingList>
 
 
 What's New
 ----------
-A brief summary of major changes for version 0.9.4:
+A brief summary of major changes for version 0.9.5:
 
- * Deletion of reports has been fixed.
- * Various encoding issues with the timeline RSS feed have been fixed.
- * Fixed a memory leak when syncing with the repository.
- * Milestones in the roadmap are now ordered more intelligently.
+ * Fixed wiki macro XSS vulnerability.
+ * Smaller memory usage when accessing subversion history.
+ * Fixed issue with incorrectly generated urls when installed behind a web 
+   proxy.
 
 For a more complete list of improvements, see the ChangeLog at:
 
 """
 __docformat__ = 'epytext en'
 
-__version__ = '0.9.5dev'
+__version__ = '0.9.5'
 __url__ = 'http://trac.edgewall.com/'
 __copyright__ = '(C) 2003-2006 Edgewall Software'
 __license__ = 'BSD'

trac/wiki/macros.py

 
 from trac.config import default_dir
 from trac.core import *
-from trac.util import escape, format_date
+from trac.util import escape, format_date, Markup
 from trac.wiki.api import IWikiMacroProvider, WikiSystem
 from trac.wiki.model import WikiPage
 
      * `right`, `left`, `top` or `bottom` are interpreted as the alignment for
        the image
      * `nolink` means without link to image source.
-     * `key=value` style are interpreted as HTML attributes for the image
-     * `key:value` style are interpreted as CSS style indications for the image
+     * `key=value` style are interpreted as HTML attributes or CSS style
+        indications for the image. Valid keys are:
+        * align, border, width, height, alt, title, longdesc, class, id
+          and usemap
+        * `border` can only be a number
     
     Examples:
     {{{
         [[Image(photo.jpg, right)]]                    # aligned by keyword
         [[Image(photo.jpg, nolink)]]                   # without link to source
         [[Image(photo.jpg, align=right)]]              # aligned by attribute
-        [[Image(photo.jpg, float:right)]]              # aligned by style
-        [[Image(photo.jpg, float:right, border:solid 5px green)]] # 2 style specs
     }}}
     
     You can use image from other page, other ticket or other module.
         if len(args) == 0:
             raise Exception("No argument.")
         filespec = args[0]
-        size_re = re.compile('^[0-9]+%?$')
-        align_re = re.compile('^(?:left|right|top|bottom)$')
-        keyval_re = re.compile('^([-a-z0-9]+)([=:])(.*)')
-        quoted_re = re.compile("^(?:[\"'])(.*)(?:[\"'])$")
+        size_re = re.compile('[0-9]+%?$')
+        attr_re = re.compile('(align|border|width|height|alt|title|longdesc|class|id|usemap)=(.+)')
+        quoted_re = re.compile("(?:[\"'])(.*)(?:[\"'])$")
         attr = {}
         style = {}
         nolink = False
         for arg in args[1:]:
             arg = arg.strip()
-            if size_re.search(arg):
+            if size_re.match(arg):
                 # 'width' keyword
                 attr['width'] = arg
                 continue
-            if align_re.search(arg):
-                # 'align' keyword
-                attr['align'] = arg
-                continue
             if arg == 'nolink':
                 nolink = True
                 continue
-            match = keyval_re.search(arg)
+            match = attr_re.match(arg)
             if match:
-                key = match.group(1)
-                sep = match.group(2)
-                val = match.group(3)
+                key, val = match.groups()
                 m = quoted_re.search(val) # unquote "..." and '...'
                 if m:
                     val = m.group(1)
-                if sep == '=':
-                    attr[key] = val;
-                elif sep == ':':
-                    style[key] = val
+                if key == 'align':
+                    style['float'] = val
+                elif key == 'border':
+                    style['border'] = ' %dpx solid' % int(val);
+                else:
+                    attr[key] = val
 
         # parse filespec argument to get module and id if contained.
         parts = filespec.split(':')
             if desc and not attr.has_key(key):
                 attr[key] = desc
         a_style = 'padding:0; border:none' # style of anchor
-        img_attr = ' '.join(['%s="%s"' % x for x in attr.iteritems()])
-        img_style = '; '.join(['%s:%s' % x for x in style.iteritems()])
-        result = '<img src="%s" %s style="%s" />' \
-                 % (raw_url, img_attr, img_style)
+        img_attr = ' '.join(['%s="%s"' % (k, escape(v))
+                             for k, v in attr.iteritems()])
+        if style:
+            img_style = '; '.join(['%s:%s' % (k, escape(v))
+                                   for k, v in style.iteritems()])
+            img_attr += ' style="%s"' % img_style
+        result = Markup('<img src="%%s" %s />' % img_attr, raw_url).sanitize()
         if not nolink:
-            result = '<a href="%s" style="%s">%s</a>' % (url, a_style, result)
+            result = Markup('<a href="%s" style="%s">%s</a>',
+                            url, a_style, result)
         return result
 
 

wiki-default/WikiStart

-= Welcome to Trac 0.9.5dev =
+= Welcome to Trac 0.9.5 =
 
 Trac is a '''minimalistic''' approach to '''web-based''' management of
 '''software projects'''. Its goal is to simplify effective tracking and handling of software issues, enhancements and overall progress.

wiki-macros/HelloWorld.py

 """Example macro."""
+from trac.util import escape
+
 
 def execute(hdf, txt, env):
     # Currently hdf is set only when the macro is called
     if hdf:
         hdf['wiki.macro.greeting'] = 'Hello World'
         
-    # args will be null if the macro is called without parentesis.
+    # args will be null if the macro is called without parenthesis.
     args = txt or 'No arguments'
-    return 'Hello World, args = ' + args
+    # then, as `txt` comes from the user, it's important to guard against
+    # the possibility to inject malicious HTML/Javascript:
+    # hence use `escape()`:
+    return 'Hello World, args = ' + escape(args)