diff --git a/HISTORY.rst b/HISTORY.rst index ca7371198c..6f6ecdf91d 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -1,3 +1,11 @@ +3.0.3 (2018-08-17) +================== +- Tags app: Add explicit casting of escaped tag labels to prevent exploit + of cross site scripting. Thanks to Lokesh (@lokesh1095) for + the report and proposed solutions. Closes GitLab issue #496. +- Tags app: Add explicit post action redirect for the tag attach and + tag remove actions when working on a single document. + 3.0.2 (2018-08-16) ================== - Docker install script: Default to verbose. diff --git a/docker/version b/docker/version index b502146930..75a22a26ac 100755 --- a/docker/version +++ b/docker/version @@ -1 +1 @@ -3.0.2 +3.0.3 diff --git a/docs/releases/3.0.2.rst b/docs/releases/3.0.2.rst index 1d4a092f73..64612cc2bb 100644 --- a/docs/releases/3.0.2.rst +++ b/docs/releases/3.0.2.rst @@ -131,6 +131,7 @@ Bugs fixed or issues closed * `GitLab issue #489 `_ "next" parameter is not honored after login * `GitLab issue #490 `_ Crop Transformation seems to not convert input to numeric values +* `GitLab issue #491 `_ "Warning Your database backend is set to use SQLite[...]" with docker compose * `GitLab issue #494 `_ DOM based Cross Site Scripting * `GitLab issue #495 `_ Persistent Cross Site Scripting diff --git a/docs/releases/3.0.3.rst b/docs/releases/3.0.3.rst new file mode 100644 index 0000000000..5338d24251 --- /dev/null +++ b/docs/releases/3.0.3.rst @@ -0,0 +1,79 @@ +=============================== +Mayan EDMS v3.0.3 release notes +=============================== + +Released: August 17, 2018 + +What's new +========== + +Program code +------------ +- Tags app: Add explicit post action redirect for the tag attach and + tag remove actions when working on a single document. + +Security +-------- +- Tags app: Add explicit casting of escaped tag labels to prevent exploit + of cross site scripting. Thanks to Lokesh (@lokesh1095) for + the report and proposed solutions. Closes GitLab issue #496. + +Removals +-------- +- None + +Upgrading from a previous version +--------------------------------- + + +Using PIP +~~~~~~~~~ + +Type in the console:: + + $ pip install mayan-edms==3.0.3 + +the requirements will also be updated automatically. + + +Using Git +~~~~~~~~~ + +If you installed Mayan EDMS by cloning the Git repository issue the commands:: + + $ git reset --hard HEAD + $ git pull + +otherwise download the compressed archived and uncompress it overriding the +existing installation. + +Next upgrade/add the new requirements:: + + $ pip install --upgrade -r requirements.txt + + +Common steps +~~~~~~~~~~~~ + +Migrate existing database schema with:: + + $ mayan-edms.py performupgrade + +Add new static media:: + + $ mayan-edms.py collectstatic --noinput + +The upgrade procedure is now complete. + + +Backward incompatible changes +============================= + +* None + +Bugs fixed or issues closed +=========================== + +* `GitLab issue #496 `_ Persistent Cross Site Scripting + +.. _PyPI: https://pypi.python.org/pypi/mayan-edms/ diff --git a/docs/releases/index.rst b/docs/releases/index.rst index a2950d1a0e..305270f0e6 100644 --- a/docs/releases/index.rst +++ b/docs/releases/index.rst @@ -22,6 +22,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 3.0.3 3.0.2 3.0.1 3.0 diff --git a/docs/topics/development.rst b/docs/topics/development.rst index 4dfeee6f85..c384afc2c0 100644 --- a/docs/topics/development.rst +++ b/docs/topics/development.rst @@ -396,7 +396,6 @@ X.Y # Final release Release checklist ~~~~~~~~~~~~~~~~~ - 1. Check for missing migrations:: make check-missing-migrations @@ -420,31 +419,40 @@ or with:: make check-readme -8. Bump version in `mayan/__init__.py` and in `docker/version`. -9. Update requirements version in `setup.py` using:: +8. Bump version in `mayan/__init__.py`. +9. Bump version in `docker/version`. +10. Update requirements version in `setup.py` using:: make generate-setup -10. Build source package and test:: +11. Build source package and test:: make test-sdist-via-docker-ubuntu -11. Build wheel package and test:: +12. Build wheel package and test:: make test-wheel-via-docker-ubuntu -12. Tag version:: +13. Tag version:: git tag -a vX.Y.Z -m "Version X.Y.Z" -13. Push tag upstream:: +14. Switch to the `releases` branch:: + + git checkout releases + +15. Push tag upstream:: git push --tags -14. Build and upload a test release:: +16. Push code to trigger builds:: + + git push + +17. Build and upload a test release:: make release-test-via-docker-ubuntu -15. Build and upload a final release:: +18. Build and upload a final release:: make release-via-docker-ubuntu diff --git a/mayan/__init__.py b/mayan/__init__.py index 653b5fd7ae..a01bd820ce 100644 --- a/mayan/__init__.py +++ b/mayan/__init__.py @@ -1,8 +1,8 @@ from __future__ import unicode_literals __title__ = 'Mayan EDMS' -__version__ = '3.0.2' -__build__ = 0x030002 +__version__ = '3.0.3' +__build__ = 0x030003 __author__ = 'Roberto Rosario' __author_email__ = 'roberto.rosario@mayan-edms.com' __description__ = 'Free Open Source Electronic Document Management System' diff --git a/mayan/apps/tags/views.py b/mayan/apps/tags/views.py index d079894989..a03514a4c7 100644 --- a/mayan/apps/tags/views.py +++ b/mayan/apps/tags/views.py @@ -3,7 +3,7 @@ from __future__ import absolute_import, unicode_literals import logging from django.contrib import messages -from django.shortcuts import get_object_or_404 +from django.shortcuts import get_object_or_404, reverse from django.urls import reverse_lazy from django.utils.translation import ugettext_lazy as _, ungettext @@ -77,6 +77,13 @@ class TagAttachActionView(MultipleObjectFormActionView): return result + def get_post_action_redirect(self): + queryset = self.get_queryset() + if queryset.count() == 1: + return reverse('tags:document_tags', args=(queryset.first().pk,)) + else: + return super(TagAttachActionView, self).get_post_action_redirect() + def object_action(self, form, instance): attached_tags = instance.attached_tags() @@ -291,6 +298,13 @@ class TagRemoveActionView(MultipleObjectFormActionView): return result + def get_post_action_redirect(self): + queryset = self.get_queryset() + if queryset.count() == 1: + return reverse('tags:document_tags', args=(queryset.first().pk,)) + else: + return super(TagRemoveActionView, self).get_post_action_redirect() + def object_action(self, form, instance): attached_tags = instance.attached_tags() diff --git a/mayan/apps/tags/widgets.py b/mayan/apps/tags/widgets.py index 449069576c..d532d0e8c1 100644 --- a/mayan/apps/tags/widgets.py +++ b/mayan/apps/tags/widgets.py @@ -3,6 +3,7 @@ from __future__ import absolute_import, unicode_literals from django import forms from django.apps import apps from django.template.loader import render_to_string +from django.utils.html import conditional_escape from django.utils.safestring import mark_safe from .permissions import permission_tag_view @@ -17,8 +18,8 @@ class TagFormWidget(forms.SelectMultiple): def create_option(self, name, value, label, selected, index, subindex=None, attrs=None): result = super(TagFormWidget, self).create_option( - name=name, value=value, label=label, selected=selected, - index=index, subindex=subindex, attrs=attrs + name=name, value=value, label='{}'.format(conditional_escape(label)), + selected=selected, index=index, subindex=subindex, attrs=attrs ) result['attrs']['data-color'] = self.queryset.get(pk=value).color