Opened on 03/12/2014 at 08:52:15 AM
Closed on 05/06/2015 at 02:08:04 PM
#57 closed change (rejected)
Set up RhodeCode
Reported by: | fhd | Assignee: | AAlvz |
---|---|---|---|
Priority: | P4 | Milestone: | |
Module: | Infrastructure | Keywords: | |
Cc: | matze | Blocked By: | |
Blocking: | Platform: | Unknown | |
Ready: | no | Confidential: | no |
Tester: | Verified working: | no | |
Review URL(s): |
Description
Background
We want to use RhodeCode.
What to change
Set up RhodeCode.
Attachments (0)
Change History (9)
comment:1 Changed on 03/12/2014 at 10:16:12 PM by fhd
- Reporter changed from philll to fhd
comment:2 Changed on 03/12/2014 at 10:16:49 PM by fhd
- Priority changed from Unknown to P4
comment:3 Changed on 03/25/2014 at 03:20:20 AM by AAlvz
comment:4 follow-up: ↓ 7 Changed on 03/31/2014 at 01:07:42 PM by fhd
- Cc christian added
- in_progress set to 0
- Ready unset
- Status changed from new to reviewing
Sorry for not getting around to this earlier, we'll review it now.
Christian, can you have a look first here? You should be able to comment on the PR since you're in the adblockplus organisation on GitHub.
comment:5 Changed on 03/31/2014 at 01:07:58 PM by fhd
- Ready set
comment:7 in reply to: ↑ 4 Changed on 03/31/2014 at 01:54:39 PM by christian
Replying to fhd:
Sorry for not getting around to this earlier, we'll review it now.
Christian, can you have a look first here? You should be able to comment on the PR since you're in the adblockplus organisation on GitHub.
I'm looking into it.
comment:8 Changed on 05/13/2014 at 02:18:34 PM by christian
- Owner set to AAlvz
comment:9 Changed on 05/06/2015 at 02:08:04 PM by trev
- Cc matze added; christian removed
- Platform set to Unknown
- Ready unset
- Resolution set to rejected
- Status changed from reviewing to closed
Removing "ready" flag and closing as "rejected".
RhodeCode is no longer an open source project. That in itself isn't an issue, however I noticed that their approach to XSS prevention is "let's escape stuff manually." Recently, a fork called Kallithea fixed an XSS vulnerability that they apparently inherited from RhodeCode. Not only is it a really bad fix (adding escaping in the controller on top of the escaping performed in the template), it is also incomplete and leaves more vulnerabilities open. I tested a live RhodeCode instance and they seem to have applied exactly the same fix as Kallithea. I could easily reproduce another XSS vulnerability, one that wasn't covered by that fix.
The summary is unfortunately: neither RhodeCode nor Kallithea seem terribly competent as far as web application security goes. It isn't about individual bugs, their security architecture is inherently flawed.
Pull request sent.
RhodeCode module (Hg) automatic installer.
(installer is downloaded, configurations are on private module)
Added node to vagrant.
https://github.com/adblockplus/infrastructure/pull/1