Merge branch 'directory-xss'

2025-01-06 11:35:24 +08:00 · 2018-11-18 14:46:53 +01:00 · 2018-11-18 14:46:53 +01:00 · 288b73e1ed
commit 288b73e1ed
parent 588b1f8eb3 1ed04ffa8a
2 changed files with 55 additions and 23 deletions
--- a/docs/source/changelog.rst
+++ b/docs/source/changelog.rst
@ -21,6 +21,21 @@ We strongly recommend that you upgrade pip to version 9+ of pip before upgrading
    Use ``pip install pip --upgrade`` to upgrade pip. Check pip version with
    ``pip --version``.

+.. _release-5.7.2:
+
+5.7.2
+-----
+
+5.7.2 contains a security fix preventing malicious directory names
+from being able to execute javascript. CVE request pending.
+
+.. _release-5.7.1:
+
+5.7.1
+-----
+
+5.7.1 contains a security fix preventing nbconvert endpoints from executing javascript with access to the server API. CVE request pending.
+
 .. _release-5.7.0:

 5.7.0
--- a/notebook/static/tree/js/notebooklist.js
+++ b/notebook/static/tree/js/notebooklist.js
@ -383,18 +383,28 @@ define([
        breadcrumb.empty();
        var list_item = $('<li/>');
        var root_url = utils.url_path_join(that.base_url, '/tree');
-        var root = $('<li/>').append('<a href="' + root_url + '"><i class="fa fa-folder"></i></a>').click(function(e) {
-            // Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
-            if(e.altKey || e.metaKey || e.shiftKey) {
-                return true;
-            }
-            var path = '';
-            window.history.pushState({
-                path: path
-            }, 'Home', utils.url_path_join(that.base_url, 'tree'));
-            that.update_location(path);
-            return false;
-        });
+        var root = $('<li/>').append(
+            $("<a/>")
+            .attr('href', root_url)
+            .append(
+                $("<i/>")
+                .addClass('fa fa-folder')
+            )
+            .click(function(e) {
+                // Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
+                if(e.altKey || e.metaKey || e.shiftKey) {
+                    return true;
+                }
+                var path = '';
+                window.history.pushState(
+                    {path: path},
+                    'Home',
+                    utils.url_path_join(that.base_url, 'tree')
+                );
+                that.update_location(path);
+                return false;
+            })
+        );
        breadcrumb.append(root);
        var path_parts = [];
        this.notebook_path.split('/').forEach(function(path_part) {
@ -405,17 +415,24 @@ define([
                '/tree',
                utils.encode_uri_components(path)
            );
-            var crumb = $('<li/>').append('<a href="' + url + '">' + path_part + '</a>').click(function(e) {
-                // Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
-                if(e.altKey || e.metaKey || e.shiftKey) {
-                    return true;
-                }
-                window.history.pushState({
-                    path: path
-                }, path, url);
-                that.update_location(path);
-                return false;
-            });
+            var crumb = $('<li/>').append(
+                $('<a/>')
+                .attr('href', url)
+                .text(path_part)
+                .click(function(e) {
+                    // Allow the default browser action when the user holds a modifier (e.g., Ctrl-Click)
+                    if(e.altKey || e.metaKey || e.shiftKey) {
+                        return true;
+                    }
+                    window.history.pushState(
+                        {path: path},
+                        path,
+                        url
+                    );
+                    that.update_location(path);
+                    return false;
+                })
+            );
            breadcrumb.append(crumb);
        });
        this.contents.list_contents(that.notebook_path).then(