From ecb6d6e79282fb555483d3133bf3e61dfeaf2e64 Mon Sep 17 00:00:00 2001 From: Nicolas Harraudeau Date: Mon, 31 Aug 2015 09:36:57 +0200 Subject: [PATCH 1/8] global: fix standard flash messages security * SECURITY Fixes potential XSS issues by changing main flash messages template so that they are not displayed as safe HTML by default. * NOTE Displaying HTML safe flash messages can be done by using one of these flash contexts: '(html_safe)', 'info(html_safe)', 'danger(html_safe)', 'error(html_safe)', 'warning(html_safe)', 'success(html_safe)' instead of the standard ones (which are the same without '(html safe)' at the end). Signed-off-by: Nicolas Harraudeau --- invenio/base/templates/_macros.html | 15 +++++++++++---- invenio/ext/script/__init__.py | 2 +- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/invenio/base/templates/_macros.html b/invenio/base/templates/_macros.html index 13bd6419c5..3c17d574e2 100644 --- a/invenio/base/templates/_macros.html +++ b/invenio/base/templates/_macros.html @@ -19,11 +19,18 @@ {%- macro flashed_messages() -%} {% block messages %} - {% for category, msg in get_flashed_messages(with_categories=True, category_filter=['', 'info', 'danger', 'error', 'warning', 'success']) %} - {% set category = 'danger' if category == 'error' else category %} -
+ {% for category, msg in get_flashed_messages(with_categories=True, + category_filter=['', 'info', 'danger', 'error', 'warning', 'success', + '(html_safe)', 'info(html_safe)', 'danger(html_safe)', 'error(html_safe)', + 'warning(html_safe)', 'success(html_safe)']) %} + {% set category = 'danger' if category == 'error' or category == 'error(html_safe)' else category %} +
× - {{ msg|safe }} + {% if category.endswith('(html_safe)') %} + {{ msg|safe }} + {% else %} + {{ msg }} + {% endif %}
{% endfor %} {% endblock messages %} diff --git a/invenio/ext/script/__init__.py b/invenio/ext/script/__init__.py index 24e308414c..896f861e4b 100644 --- a/invenio/ext/script/__init__.py +++ b/invenio/ext/script/__init__.py @@ -144,7 +144,7 @@ def check_for_software_updates(flash_message=False): 'download. You may want to visit ' '%()s', wiki=' Date: Mon, 31 Aug 2015 09:58:46 +0200 Subject: [PATCH 2/8] search: fix flash messages security * SECURITY Fixes potential XSS issues by changing search flash messages template so that they are not displayed as safe HTML by default. * NOTE Displaying HTML safe flash messages can be done by using one of these flash contexts: 'search-results-after(html_safe)', 'websearch-after-search-form(html_safe)' instead of the standard ones (which are the same without '(html safe)' at the end). Signed-off-by: Nicolas Harraudeau --- .../search/templates/search/form/index_base.html | 11 ++++++++--- .../modules/search/templates/search/results_base.html | 9 +++++++-- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/invenio/modules/search/templates/search/form/index_base.html b/invenio/modules/search/templates/search/form/index_base.html index 7d2b8fd5b8..e02de61614 100644 --- a/invenio/modules/search/templates/search/form/index_base.html +++ b/invenio/modules/search/templates/search/form/index_base.html @@ -1,6 +1,6 @@ {# # This file is part of Invenio. -# Copyright (C) 2014 CERN. +# Copyright (C) 2014, 2015 CERN. # # Invenio is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as @@ -35,10 +35,15 @@
{%- block search_form_flashed_messages -%} {%- for category, msg in get_flashed_messages(with_categories=True, - category_filter=['websearch-after-search-form']) %} + category_filter=['websearch-after-search-form', + 'websearch-after-search-form(html_safe)']) %}
- {{ msg|safe }} + {% if category.endswith('(html_safe)') %} + {{ msg|safe }} + {% else %} + {{ msg }} + {% endif %}
{%- endfor %} diff --git a/invenio/modules/search/templates/search/results_base.html b/invenio/modules/search/templates/search/results_base.html index 7076cd95d9..358265cab8 100644 --- a/invenio/modules/search/templates/search/results_base.html +++ b/invenio/modules/search/templates/search/results_base.html @@ -254,8 +254,13 @@ {%- endblock search_results_footer %} - {% for category, msg in get_flashed_messages(with_categories=True, category_filter=['search-results-after']) %} - {{ msg|safe }} + {% for category, msg in get_flashed_messages(with_categories=True, + category_filter=['search-results-after', 'search-results-after(html_safe)']) %} + {% if category.endswith('(html_safe)') %} + {{ msg|safe }} + {% else %} + {{ msg }} + {% endif %} {% endfor %} {% endblock %}{% endmacro %} From 5f321468a41769af918a83431d941ae700a2164c Mon Sep 17 00:00:00 2001 From: Nicolas Harraudeau Date: Mon, 31 Aug 2015 11:32:51 +0200 Subject: [PATCH 3/8] accounts: fix link display in flash message * Fixes flash message display which was broken by flash message security fix. Signed-off-by: Nicolas Harraudeau --- invenio/modules/accounts/forms.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/invenio/modules/accounts/forms.py b/invenio/modules/accounts/forms.py index 915ac441bc..d39c07b5a9 100644 --- a/invenio/modules/accounts/forms.py +++ b/invenio/modules/accounts/forms.py @@ -92,7 +92,7 @@ def validate_email(self, field): from flask import flash, url_for flash(_("Note that if you have changed your email address, you \ will have to reset your password anew.", - link=url_for('webaccount.lost')), 'warning') + link=url_for('webaccount.lost')), 'warning(html_safe)') class LostPasswordForm(InvenioBaseForm): From 4c74ad908254203a929cd1210c87a27a98184a9e Mon Sep 17 00:00:00 2001 From: Nicolas Harraudeau Date: Mon, 31 Aug 2015 11:35:26 +0200 Subject: [PATCH 4/8] annotations: fix link display in flash message * Fixes flash message display which was broken by flash message security fix. Signed-off-by: Nicolas Harraudeau --- invenio/modules/annotations/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/invenio/modules/annotations/views.py b/invenio/modules/annotations/views.py index 750ebb5e42..dffce4004e 100644 --- a/invenio/modules/annotations/views.py +++ b/invenio/modules/annotations/views.py @@ -183,7 +183,7 @@ def notes(recid): flash(_('This is a summary of all the comments that includes only the \ existing annotations. The full discussion is available \ here.'), "info") + '">here.'), "info(html_safe)") from invenio.utils.washers import wash_html_id From bf147811aa1f499e9ed6432c21949b349250bdb6 Mon Sep 17 00:00:00 2001 From: Nicolas Harraudeau Date: Mon, 31 Aug 2015 11:36:06 +0200 Subject: [PATCH 5/8] tags: fix flash message * Fixes flash message by escaping user input string (tag name) and display it as safe HTML. Signed-off-by: Nicolas Harraudeau --- invenio/modules/tags/views.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/invenio/modules/tags/views.py b/invenio/modules/tags/views.py index a860b19bb3..00849cece2 100644 --- a/invenio/modules/tags/views.py +++ b/invenio/modules/tags/views.py @@ -25,7 +25,7 @@ """ # Flask -from flask import Blueprint, flash, jsonify, redirect, \ +from flask import Blueprint, escape, flash, jsonify, redirect, \ render_template, request, url_for from flask_breadcrumbs import default_breadcrumb_root, register_breadcrumb @@ -200,7 +200,8 @@ def tag_edit(id_tag): flash(_('Tag Successfully edited.'), 'success') else: - flash(_('Tag name') + ' ' + tag.name + ' ' + _('is already in use.'), 'error') + flash(_('Tag name') + ' ' + escape(tag.name) + + ' ' + _('is already in use.'), 'error(html_safe)') return dict(tag=tag, form=form) From a4635e22070b3b96f119026daf47a97ecb96c8ff Mon Sep 17 00:00:00 2001 From: Nicolas Harraudeau Date: Tue, 1 Sep 2015 09:17:13 +0200 Subject: [PATCH 6/8] global: fix flash message CSS class bug * Fix bug introduced by ecb6d6e79282fb555483d3133bf3e61dfeaf2e64. CSS class of 'html_safe' flash messages where not displayed properly. Signed-off-by: Nicolas Harraudeau --- invenio/base/templates/_macros.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/invenio/base/templates/_macros.html b/invenio/base/templates/_macros.html index 3c17d574e2..f800c4d75e 100644 --- a/invenio/base/templates/_macros.html +++ b/invenio/base/templates/_macros.html @@ -24,7 +24,7 @@ '(html_safe)', 'info(html_safe)', 'danger(html_safe)', 'error(html_safe)', 'warning(html_safe)', 'success(html_safe)']) %} {% set category = 'danger' if category == 'error' or category == 'error(html_safe)' else category %} -
+
× {% if category.endswith('(html_safe)') %} {{ msg|safe }} From 5c0dfb279aa03dcc021712756667536a4fc6586e Mon Sep 17 00:00:00 2001 From: Jiri Kuncar Date: Tue, 1 Sep 2015 09:01:16 +0200 Subject: [PATCH 7/8] Invenio v2.0.6 Signed-off-by: Jiri Kuncar --- MANIFEST.in | 1 + NEWS | 76 +++++++++++++++++++++++++++++++++ RELEASE-NOTES | 102 ++++++++++++++++++++------------------------- RELEASE-NOTES.rst | 102 ++++++++++++++++++++------------------------- invenio/version.py | 2 +- 5 files changed, 170 insertions(+), 113 deletions(-) diff --git a/MANIFEST.in b/MANIFEST.in index 9ade313429..10be388509 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -5,6 +5,7 @@ include *.txt include *.yml include .bowerrc include .dockerignore +include .editorconfig include ABOUT-NLS include AUTHORS include COPYING diff --git a/NEWS b/NEWS index 0e91021439..5a7c2c9eab 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,82 @@ releases. For more information about the current release, please consult RELEASE-NOTES. For more information about changes, please consult ChangeLog. +Invenio v2.0.6 -- released 2015-09-01 +------------------------------------- + +Security fixes +~~~~~~~~~~~~~~ + ++ global + + - Fixes potential XSS issues by changing main flash messages + template so that they are not displayed as safe HTML by default. + ++ search + + - Fixes potential XSS issues by changing search flash messages + template so that they are not displayed as safe HTML by default. + + +Improved features +~~~~~~~~~~~~~~~~~ + ++ I18N + + - Completes Italian translation. + - Completes French translation. + ++ global + + - Adds super(SmartDict, self).__init__ call in the __init__ method + in SmartDict to be able to make multiple inheritance in Record + class in invenio-records and be able to call both parent's + __init__. + + +Bug fixes +~~~~~~~~~ + ++ OAIHarvest + + - Fixes the parsing of resumptiontoken in incoming OAI-PMH XML which + could fail when the resumptiontoken was empty. + ++ i18n + + - Updates PO message catalogues and cleans them of duplicated + messages. (#3455) + ++ installation + + - Fixes database creation and upgrading by limiting Alembic version + to <0.7. + ++ legacy + + - Addresses an issue with calling six urllib.parse in a wrong way, + making users unable to harvest manually from the command line. + + +Notes +~~~~~ + ++ global + + - Displaying HTML safe flash messages can be done by using one of + these flash contexts: '(html_safe)', 'info(html_safe)', + 'danger(html_safe)', 'error(html_safe)', 'warning(html_safe)', + 'success(html_safe)' instead of the standard ones (which are the + same without '(html safe)' at the end). + ++ search + + - Displaying HTML safe flash messages can be done by using one of + these flash contexts: 'search-results-after(html_safe)', + 'websearch-after-search-form(html_safe)' instead of the standard + ones (which are the same without '(html safe)' at the end). + + Invenio v2.0.5 -- released 2015-07-17 ------------------------------------- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 165ff8ae52..b9eca6c584 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -1,8 +1,8 @@ ============================ - Invenio v2.0.5 is released + Invenio v2.0.6 is released ============================ -Invenio v2.0.5 was released on July 17, 2015. +Invenio v2.0.6 was released on September 1, 2015. About ----- @@ -13,96 +13,86 @@ digital library or document repository on the web. Security fixes -------------- -+ docker: ++ global - - Disables debug mode when using standard Docker image. Uses docker - compose to set the variable instead. + - Fixes potential XSS issues by changing main flash messages + template so that they are not displayed as safe HTML by default. -Improved features ------------------ - -+ deposit: ++ search - - Improves handling of large files in deposit. + - Fixes potential XSS issues by changing search flash messages + template so that they are not displayed as safe HTML by default. -+ docker: - - Improves Docker documentation notably related to how to work with - Invenio site overlays. - - - Changes port number exposed by docker to non-reserved ones to - avoid conflicts with local installations. Webport is now 28080, - Redis 26379 and MySQL is 23306, which is a simple +20000 shift - from the standard ports. +Improved features +----------------- - - Integrates docker boot script into docker image. ++ I18N - - Changes docker boot script to use `exec`. This ensure signal - forwarding and reduces the overhead by one process. As a result - container shutdown is faster now. + - Completes Italian translation. + - Completes French translation. - - Changes manual master/slave configuration of Docker devboot script - to automatic solution using file locks. ++ global -+ jasmine: + - Adds super(SmartDict, self).__init__ call in the __init__ method + in SmartDict to be able to make multiple inheritance in Record + class in invenio-records and be able to call both parent's + __init__. - - Allows using variables from application config for building asset - bundles. Bug fixes --------- -+ deposit: ++ OAIHarvest - - Fixes issue with PLUpload chunking not being enabled. + - Fixes the parsing of resumptiontoken in incoming OAI-PMH XML which + could fail when the resumptiontoken was empty. -+ encoder: ++ i18n - - Corrects the `compose_file` function call in `process_batch_job` - to produce `/content.` instead of - `/content.content;`. (#3354) + - Updates PO message catalogues and cleans them of duplicated + messages. (#3455) -+ global: ++ installation - - Fixes the way configuration variables are parsed from ENV. It now - uses the same method we are using in `inveniomanage config set`. - This fixes the problem that `False` is not parsed correctly. + - Fixes database creation and upgrading by limiting Alembic version + to <0.7. -+ installation: ++ legacy - - Fixes capitalization of package names. + - Addresses an issue with calling six urllib.parse in a wrong way, + making users unable to harvest manually from the command line. -+ legacy: - - - Fixes inveniogc crash when mysql is NOT used to store sessions. - (#3205) - -+ login: - - - Provides flash message to indicate that an email with password - recovery could not be sent. (#3309) Notes ----- -+ global: ++ global + + - Displaying HTML safe flash messages can be done by using one of + these flash contexts: '(html_safe)', 'info(html_safe)', + 'danger(html_safe)', 'error(html_safe)', 'warning(html_safe)', + 'success(html_safe)' instead of the standard ones (which are the + same without '(html safe)' at the end). + ++ search - - Backports Flask-IIIF extension from original commit - 213b6f1144734c9ecf425a1bc7b78e56ee5e4e3e. The extension is not - enabled by default in order to avoid feature addition to existing - minor release. + - Displaying HTML safe flash messages can be done by using one of + these flash contexts: 'search-results-after(html_safe)', + 'websearch-after-search-form(html_safe)' instead of the standard + ones (which are the same without '(html safe)' at the end). Installation ------------ - $ pip install invenio==2.0.5 + $ pip install invenio==2.0.6 Upgrade ------- $ bibsched stop $ sudo systemctl stop apache2 - $ pip install --upgrade invenio==2.0.5 + $ pip install --upgrade invenio==2.0.6 $ inveniomanage upgrader check $ inveniomanage upgrader run $ sudo systemctl start apache2 @@ -111,7 +101,7 @@ Upgrade Documentation ------------- - http://invenio.readthedocs.org/en/v2.0.5 + http://invenio.readthedocs.org/en/v2.0.6 Happy hacking and thanks for flying Invenio. diff --git a/RELEASE-NOTES.rst b/RELEASE-NOTES.rst index 165ff8ae52..b9eca6c584 100644 --- a/RELEASE-NOTES.rst +++ b/RELEASE-NOTES.rst @@ -1,8 +1,8 @@ ============================ - Invenio v2.0.5 is released + Invenio v2.0.6 is released ============================ -Invenio v2.0.5 was released on July 17, 2015. +Invenio v2.0.6 was released on September 1, 2015. About ----- @@ -13,96 +13,86 @@ digital library or document repository on the web. Security fixes -------------- -+ docker: ++ global - - Disables debug mode when using standard Docker image. Uses docker - compose to set the variable instead. + - Fixes potential XSS issues by changing main flash messages + template so that they are not displayed as safe HTML by default. -Improved features ------------------ - -+ deposit: ++ search - - Improves handling of large files in deposit. + - Fixes potential XSS issues by changing search flash messages + template so that they are not displayed as safe HTML by default. -+ docker: - - Improves Docker documentation notably related to how to work with - Invenio site overlays. - - - Changes port number exposed by docker to non-reserved ones to - avoid conflicts with local installations. Webport is now 28080, - Redis 26379 and MySQL is 23306, which is a simple +20000 shift - from the standard ports. +Improved features +----------------- - - Integrates docker boot script into docker image. ++ I18N - - Changes docker boot script to use `exec`. This ensure signal - forwarding and reduces the overhead by one process. As a result - container shutdown is faster now. + - Completes Italian translation. + - Completes French translation. - - Changes manual master/slave configuration of Docker devboot script - to automatic solution using file locks. ++ global -+ jasmine: + - Adds super(SmartDict, self).__init__ call in the __init__ method + in SmartDict to be able to make multiple inheritance in Record + class in invenio-records and be able to call both parent's + __init__. - - Allows using variables from application config for building asset - bundles. Bug fixes --------- -+ deposit: ++ OAIHarvest - - Fixes issue with PLUpload chunking not being enabled. + - Fixes the parsing of resumptiontoken in incoming OAI-PMH XML which + could fail when the resumptiontoken was empty. -+ encoder: ++ i18n - - Corrects the `compose_file` function call in `process_batch_job` - to produce `/content.` instead of - `/content.content;`. (#3354) + - Updates PO message catalogues and cleans them of duplicated + messages. (#3455) -+ global: ++ installation - - Fixes the way configuration variables are parsed from ENV. It now - uses the same method we are using in `inveniomanage config set`. - This fixes the problem that `False` is not parsed correctly. + - Fixes database creation and upgrading by limiting Alembic version + to <0.7. -+ installation: ++ legacy - - Fixes capitalization of package names. + - Addresses an issue with calling six urllib.parse in a wrong way, + making users unable to harvest manually from the command line. -+ legacy: - - - Fixes inveniogc crash when mysql is NOT used to store sessions. - (#3205) - -+ login: - - - Provides flash message to indicate that an email with password - recovery could not be sent. (#3309) Notes ----- -+ global: ++ global + + - Displaying HTML safe flash messages can be done by using one of + these flash contexts: '(html_safe)', 'info(html_safe)', + 'danger(html_safe)', 'error(html_safe)', 'warning(html_safe)', + 'success(html_safe)' instead of the standard ones (which are the + same without '(html safe)' at the end). + ++ search - - Backports Flask-IIIF extension from original commit - 213b6f1144734c9ecf425a1bc7b78e56ee5e4e3e. The extension is not - enabled by default in order to avoid feature addition to existing - minor release. + - Displaying HTML safe flash messages can be done by using one of + these flash contexts: 'search-results-after(html_safe)', + 'websearch-after-search-form(html_safe)' instead of the standard + ones (which are the same without '(html safe)' at the end). Installation ------------ - $ pip install invenio==2.0.5 + $ pip install invenio==2.0.6 Upgrade ------- $ bibsched stop $ sudo systemctl stop apache2 - $ pip install --upgrade invenio==2.0.5 + $ pip install --upgrade invenio==2.0.6 $ inveniomanage upgrader check $ inveniomanage upgrader run $ sudo systemctl start apache2 @@ -111,7 +101,7 @@ Upgrade Documentation ------------- - http://invenio.readthedocs.org/en/v2.0.5 + http://invenio.readthedocs.org/en/v2.0.6 Happy hacking and thanks for flying Invenio. diff --git a/invenio/version.py b/invenio/version.py index 3fd11b25d4..ec18ce89f3 100644 --- a/invenio/version.py +++ b/invenio/version.py @@ -30,7 +30,7 @@ # - revision can be set if you want to override the date coming from git. # # See the doctest below. -version = (2, 0, 6, 'dev', 20150717) +version = (2, 0, 6) def build_version(*args): From 60783b7384fbd2d5c2a361b6dbd48ba4a843bd55 Mon Sep 17 00:00:00 2001 From: Jiri Kuncar Date: Tue, 1 Sep 2015 10:23:33 +0200 Subject: [PATCH 8/8] installation: post-release version bump Signed-off-by: Jiri Kuncar --- invenio/version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/invenio/version.py b/invenio/version.py index ec18ce89f3..aa1af00971 100644 --- a/invenio/version.py +++ b/invenio/version.py @@ -30,7 +30,7 @@ # - revision can be set if you want to override the date coming from git. # # See the doctest below. -version = (2, 0, 6) +version = (2, 0, 7, 'dev', 20150901) def build_version(*args):