Cross Site Scripting in Acitivities View, Repository Commits

Issue #131 resolved
Anonymous created an issue

HTML code included in commit messages is outputted to the webinterface without proper HTML entity conversion, leading to several security risks, including (but not limited to) identity theft and gain of administrator privileges. Tested with GIT commits, but probably also affects SVN and other commit messages.

Comments (4)

  1. Sebastian Sebastian repo owner

    Possible fix 3ec90e460ee8.

    Note this version fixes only the acitivities view and the repository commits. The bug will still exists in the repository browser. I will fix the repository browser tomorrow.

    Could you please test this version:

    It is possible that you create an bitbucket account? because the notification system of bitbucket does not notify on anonymous comments.

  2. Daniel Fett

    This is fixed, but the fixed version doesn't work (problems with checkouts, locking, etc.)

    Update: This had nothing to do with the locking issue. This bug is resolved and no follow-up errors occured.

  3. Log in to comment