[Buildbot] #2589: Waterfall help content spoofing
Buildbot trac
trac at buildbot.net
Thu Oct 2 21:52:28 UTC 2014
#2589: Waterfall help content spoofing
-------------------+--------------------
Reporter: wms | Owner:
Type: defect | Status: new
Priority: major | Milestone: 0.8.x
Version: 0.8.8 | Resolution:
Keywords: |
-------------------+--------------------
Comment (by wms):
Here's a patch against 0.8.9 for both the waterfall help and several uses
of int() around the numbuilds param. I feel like there's probably a better
fix by wrapping all uses of request.args.get() in a function that does
some type checking and sanitizing, but this fixes the things mentioned
here.
{{{
diff -ru buildbot.orig/status/web/builder.py
buildbot/status/web/builder.py
--- buildbot.orig/status/web/builder.py 2014-10-02 14:28:53.000000000
-0700
+++ buildbot/status/web/builder.py 2014-10-02 14:42:08.000000000
-0700
@@ -362,7 +362,10 @@
'properties': properties,
})
- numbuilds = cxt['numbuilds'] = int(req.args.get('numbuilds',
[self.numbuilds])[0])
+ try:
+ numbuilds = cxt['numbuilds'] = int(req.args.get('numbuilds',
[self.numbuilds])[0])
+ except:
+ numbuilds = cxt['numbuilds'] = 10
maxsearch = int(req.args.get('maxsearch', [200])[0])
recent = cxt['recent'] = []
for build in b.generateFinishedBuilds(
diff -ru buildbot.orig/status/web/olpb.py buildbot/status/web/olpb.py
--- buildbot.orig/status/web/olpb.py 2014-10-02 14:28:53.000000000
-0700
+++ buildbot/status/web/olpb.py 2014-10-02 14:42:26.000000000 -0700
@@ -55,7 +55,10 @@
def content(self, req, cxt):
status = self.getStatus(req)
- numbuilds = int(req.args.get("numbuilds", [self.numbuilds])[0])
+ try:
+ numbuilds = int(req.args.get("numbuilds",
[self.numbuilds])[0])
+ except:
+ numbuilds = 10
builders = req.args.get("builder", [])
branches = [b for b in req.args.get("branch", []) if b]
@@ -104,7 +107,10 @@
self.pageTitle = "Recent Builds of %s" % self.builder_name
def content(self, req, cxt):
- numbuilds = int(req.args.get("numbuilds", [self.numbuilds])[0])
+ try:
+ numbuilds = int(req.args.get("numbuilds",
[self.numbuilds])[0])
+ except:
+ numbuilds = 10
branches = [b for b in req.args.get("branch", []) if b]
# walk backwards through all builds of a single builder
diff -ru buildbot.orig/status/web/status_json.py
buildbot/status/web/status_json.py
--- buildbot.orig/status/web/status_json.py 2014-10-02
14:28:53.000000000 -0700
+++ buildbot/status/web/status_json.py 2014-10-02 14:43:17.000000000
-0700
@@ -650,7 +650,10 @@
builds = []
builder_status = self.status.getBuilder(builderName)
cache_size = builder_status.master.config.caches['Builds']
- numbuilds = int(request.args.get('numbuilds', [cache_size -
1])[0])
+ try:
+ numbuilds = int(request.args.get('numbuilds', [cache_size
- 1])[0])
+ except:
+ numbuilds = 10
for i in range(1, numbuilds):
build_status = builder_status.getBuild(-i)
if not build_status or not build_status.isFinished():
diff -ru buildbot.orig/status/web/waterfall.py
buildbot/status/web/waterfall.py
--- buildbot.orig/status/web/waterfall.py 2014-10-02
14:28:53.000000000 -0700
+++ buildbot/status/web/waterfall.py 2014-10-02 14:45:55.000000000
-0700
@@ -333,6 +333,8 @@
current_reload_time = request.args.get("reload", ["none"])
if current_reload_time:
current_reload_time = current_reload_time[0]
+ if not current_reload_time.isdigit():
+ current_reload_time = "none"
if current_reload_time not in [t[0] for t in times]:
times.insert(0, (current_reload_time, current_reload_time))
}}}
--
Ticket URL: <http://trac.buildbot.net/ticket/2589#comment:5>
Buildbot <http://buildbot.net/>
Buildbot: build/test automation
More information about the bugs
mailing list