Opened on 03/12/2014 at 08:52:15 AM

Closed on 05/06/2015 at 02:08:04 PM

#57 closed change (rejected)

Set up RhodeCode

Reported by: fhd Assignee: AAlvz
Priority: P4 Milestone:
Module: Infrastructure Keywords:
Cc: matze Blocked By:
Blocking: Platform: Unknown
Ready: no Confidential: no
Tester: Verified working: no
Review URL(s):

https://github.com/adblockplus/infrastructure/pull/1

Description

Background

We want to use RhodeCode.

What to change

Set up RhodeCode.

Attachments (0)

Change History (9)

comment:1 Changed on 03/12/2014 at 10:16:12 PM by fhd

  • Reporter changed from philll to fhd

comment:2 Changed on 03/12/2014 at 10:16:49 PM by fhd

  • Priority changed from Unknown to P4

comment:3 Changed on 03/25/2014 at 03:20:20 AM by AAlvz

Pull request sent.

RhodeCode module (Hg) automatic installer.

(installer is downloaded, configurations are on private module)

Added node to vagrant.

https://github.com/adblockplus/infrastructure/pull/1

comment:4 follow-up: Changed on 03/31/2014 at 01:07:42 PM by fhd

  • Cc christian added
  • in_progress set to 0
  • Ready unset
  • Status changed from new to reviewing

Sorry for not getting around to this earlier, we'll review it now.

Christian, can you have a look first here? You should be able to comment on the PR since you're in the adblockplus organisation on GitHub.

comment:5 Changed on 03/31/2014 at 01:07:58 PM by fhd

  • Ready set

comment:6 Changed on 03/31/2014 at 01:08:38 PM by fhd

  • Review URL(s) modified (diff)

comment:7 in reply to: ↑ 4 Changed on 03/31/2014 at 01:54:39 PM by christian

Replying to fhd:

Sorry for not getting around to this earlier, we'll review it now.

Christian, can you have a look first here? You should be able to comment on the PR since you're in the adblockplus organisation on GitHub.

I'm looking into it.

comment:8 Changed on 05/13/2014 at 02:18:34 PM by christian

  • Owner set to AAlvz

comment:9 Changed on 05/06/2015 at 02:08:04 PM by trev

  • Cc matze added; christian removed
  • Platform set to Unknown
  • Ready unset
  • Resolution set to rejected
  • Status changed from reviewing to closed

Removing "ready" flag and closing as "rejected".

RhodeCode is no longer an open source project. That in itself isn't an issue, however I noticed that their approach to XSS prevention is "let's escape stuff manually." Recently, a fork called Kallithea fixed an XSS vulnerability that they apparently inherited from RhodeCode. Not only is it a really bad fix (adding escaping in the controller on top of the escaping performed in the template), it is also incomplete and leaves more vulnerabilities open. I tested a live RhodeCode instance and they seem to have applied exactly the same fix as Kallithea. I could easily reproduce another XSS vulnerability, one that wasn't covered by that fix.

The summary is unfortunately: neither RhodeCode nor Kallithea seem terribly competent as far as web application security goes. It isn't about individual bugs, their security architecture is inherently flawed.

Add Comment

Modify Ticket

Change Properties
Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from AAlvz.
AttachmentsDescription
 
Note: See TracTickets for help on using tickets.