[Pkg-privacy-commits] [onionshare] 60/256: Make render_template_string autoescape by default in Flask versions < 0.11

Ulrike Uhlig ulrike at moszumanska.debian.org
Fri May 26 12:53:14 UTC 2017 

This is an automated email from the git hooks/post-receive script.

ulrike pushed a commit to branch master
in repository onionshare.

commit 406fffdb3969c96cd05ea643bfe1ec7f995afbb5
Author: Garrett Robinson <garrett.f.robinson at gmail.com>
Date:   Fri Dec 30 12:40:05 2016 -0500

    Make render_template_string autoescape by default in Flask versions < 0.11
---
 onionshare/web.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/onionshare/web.py b/onionshare/web.py
index e50c0ed..9f0b02c 100644
--- a/onionshare/web.py
+++ b/onionshare/web.py
@@ -17,12 +17,29 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
+from distutils.version import StrictVersion as Version
 import queue, mimetypes, platform, os, sys, socket, logging
 from urllib.request import urlopen
+
 from flask import Flask, Response, request, render_template_string, abort
+from flask import __version__ as flask_version
 
 from . import strings, helpers
 
+
+def _safe_select_jinja_autoescape(self, filename):
+    if filename is None:
+        return True
+    return filename.endswith(('.html', '.htm', '.xml', '.xhtml'))
+
+# Starting in Flask 0.11, render_template_string autoescapes template variables
+# by default. To prevent content injection through template variables in
+# earlier versions of Flask, we force autoescaping in the Jinja2 template
+# engine if we detect a Flask version with insecure default behavior.
+if Version(flask_version) < Version('0.11'):
+    # Monkey-patch in the fix from https://github.com/pallets/flask/commit/99c99c4c16b1327288fd76c44bc8635a1de452bc
+    Flask.select_jinja_autoescape = _safe_select_jinja_autoescape
+
 app = Flask(__name__)
 
 # information about the file

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/onionshare.git

More information about the Pkg-privacy-commits mailing list