c1e3087 | Nate Coraor | 15 December 2016, 17:34:18 UTC | Fix an ACE vulnerability with gff filter tools. Thanks to David Wyde for the disclosure. | 15 December 2016, 17:34:18 UTC |
cee85ba | Nate Coraor | 24 February 2016, 16:18:19 UTC | Security fixes for tool shed repository browsing | 24 February 2016, 16:18:19 UTC |
78f441b | Nate Coraor | 24 February 2016, 16:18:19 UTC | Remove sample tracking manual external service transfer due to security concerns | 24 February 2016, 16:18:19 UTC |
32c910a | Nate Coraor | 24 February 2016, 16:18:19 UTC | Security fixes for object store paths | 24 February 2016, 16:18:19 UTC |
3b96322 | Nate Coraor | 24 February 2016, 16:18:18 UTC | Security fixes for history imports | 24 February 2016, 16:18:18 UTC |
ca123a4 | Nate Coraor | 24 February 2016, 16:18:18 UTC | Add a safe_relpath util function for ensuring a path does not reference an absolute or parent directory | 24 February 2016, 16:18:18 UTC |
360a6ad | Björn Grüning | 21 August 2015, 18:28:25 UTC | Merge pull request #634 from nsoranzo/release_14.10 [14.10] Backport tool lineage fix. | 21 August 2015, 18:28:25 UTC |
85c9712 | Nicola Soranzo | 12 August 2015, 17:25:40 UTC | Remove existing wrong tool version associations in ToolVersionManager.handle_tool_versions() . Fix #552. To fix a tool with a wrong lineage, click on "Set tool versions" on the "Repository Actions" menu. | 21 August 2015, 17:51:24 UTC |
cbae8fa | Nate Coraor | 12 August 2015, 20:43:52 UTC | Fix an XSS reflection vulnerability on the workflow import form. | 12 August 2015, 20:43:52 UTC |
0972c14 | Dannon Baker | 01 May 2015, 19:26:06 UTC | Merge pull request #199 from dannon/release_14.10 [STABLE] Import safe_dumps from galaxy_utils to properly set metadata for interva... | 01 May 2015, 19:26:06 UTC |
5f2c364 | Marius van den Beek | 30 April 2015, 17:39:23 UTC | Import safe_dumps from galaxy_utils to properly set metadata for interval files. | 01 May 2015, 18:59:39 UTC |
1029356 | Daniel Blankenberg | 22 April 2015, 18:40:55 UTC | Fix for abitrary code execution in the ToolShed when uploaded tools reference a <code file=...>. Release 14.08..15.01 version | 22 April 2015, 18:40:55 UTC |
e16e57c | John Chilton | 30 March 2015, 18:07:14 UTC | Merge pull request #54 from martenson/release_14.10-fix-paramget-default [STABLE] [14.10] fix missing defaults for get() | 30 March 2015, 18:07:14 UTC |
69b68c0 | Martin Cech | 30 March 2015, 17:08:32 UTC | fix missing defaults for get() params class override the method and force default to be included | 30 March 2015, 17:08:32 UTC |
c17a9e5 | Dannon Baker | 12 February 2015, 13:28:37 UTC | Fix path manipulation during fetch_eggs. This getting an external version of pkg_resources (and not ours in lib/) is what is causing the weird egg fetching errors. Newer versions of pkg_resources create a mangled distribution string for some eggs with nonstandard version identifiers. | 05 March 2015, 14:57:01 UTC |
48d5823 | Dannon Baker | 23 February 2015, 16:26:42 UTC | Clone .gitignore | 23 February 2015, 16:26:42 UTC |
ed0e764 | John Chilton | 15 January 2015, 21:01:35 UTC | Bugfix: Skip extra wrapping around template-style macros. | 15 January 2015, 21:01:35 UTC |
7f62891 | Daniel Blankenberg | 14 January 2015, 22:07:54 UTC | Make DatasetListWrapper and DatasetCollectionWrapper subclasses of ToolParameterValueWrapper. | 14 January 2015, 22:07:54 UTC |
50d65f4 | Daniel Blankenberg | 13 January 2015, 15:27:49 UTC | Fix a critical security vulnerability where unsanitized user-modifiable values could be included in a command line template. | 13 January 2015, 15:27:49 UTC |
65ef16f | Martin Cech | 05 January 2015, 21:53:57 UTC | Merged in jmchilton/galaxy-central-fork-1/stable (pull request #620) [STABLE] Don't choke on tool versions switches with significant parameter changes. | 05 January 2015, 21:53:57 UTC |
fc04d37 | Nate Coraor | 05 January 2015, 14:00:18 UTC | Update tag latest_2014.10.06 for changeset 793d9cd5f9de | 05 January 2015, 14:00:18 UTC |
f01ae9f | John Chilton | 27 December 2014, 22:30:59 UTC | Fixes for over escaping in c2bed0a. Fixes dozens of tool functional tests. | 27 December 2014, 22:30:59 UTC |
269e243 | John Chilton | 18 December 2014, 14:47:08 UTC | Don't choke on tool versions switches with significant parameter changes. Just regenerate the tool state from the supplied parameters instead - seems to still perserve parameters on the tool form that are common between the versions because they are coming in throuh kwd. | 18 December 2014, 14:47:08 UTC |
c1f421d | Nate Coraor | 17 December 2014, 14:00:15 UTC | Update tag latest_2014.10.06 for changeset 5834b1066462 | 17 December 2014, 14:00:15 UTC |
24012f7 | Dave Bouvier | 16 December 2014, 20:00:50 UTC | Reduce minimum length of repository names from 4 characters to 2. | 16 December 2014, 20:00:50 UTC |
75da622 | Nate Coraor | 16 December 2014, 14:00:19 UTC | Update tag latest_2014.10.06 for changeset 7086b87d83a9 | 16 December 2014, 14:00:19 UTC |
c7ebf7d | Dannon Baker | 16 December 2014, 06:31:43 UTC | Merged in dan/galaxy-central-prs/stable (pull request #613) [STABLE] Do not |h escape tool dependency error message, as it is escaped and formated by tool_shed.util.basic_util.to_html_string | 16 December 2014, 06:31:43 UTC |
095e417 | Daniel Blankenberg | 15 December 2014, 22:01:07 UTC | Do not |h escape tool dependency error message, as it is escaped and formated by tool_shed.util.basic_util.to_html_string | 15 December 2014, 22:01:07 UTC |
8ba4e90 | Nate Coraor | 12 December 2014, 21:00:13 UTC | Update tag latest_2014.10.06 for changeset db9561875903 | 12 December 2014, 21:00:13 UTC |
72f3453 | Dave Bouvier | 12 December 2014, 16:30:27 UTC | Back out 15716:77528372d36c, which breaks library creation success message. | 12 December 2014, 16:30:27 UTC |
f286d3d | Nate Coraor | 12 December 2014, 14:00:15 UTC | Update tag latest_2014.10.06 for changeset e416697be38e | 12 December 2014, 14:00:15 UTC |
009628d | Martin Cech | 11 December 2014, 18:08:35 UTC | Merged in davebgx/galaxy-central/stable (pull request #606) [STABLE] Escape instances of message passed in through kwd before pushing them back out to mako. | 11 December 2014, 18:08:35 UTC |
245418f | Martin Cech | 11 December 2014, 18:01:22 UTC | Merged in martenson/galaxy-central-marten/stable (pull request #599) [STABLE] encode dataset, ldda, folder and library IDs properly in some more places | 11 December 2014, 18:01:22 UTC |
bf014b2 | Dave Bouvier | 11 December 2014, 16:39:50 UTC | One message was left unescaped. | 11 December 2014, 16:39:50 UTC |
766e8ff | Dave Bouvier | 11 December 2014, 16:36:55 UTC | Also escape repository names, just in case. | 11 December 2014, 16:36:55 UTC |
0b29252 | Dave Bouvier | 11 December 2014, 16:10:30 UTC | Escape messages passed in through kwd. | 11 December 2014, 16:10:30 UTC |
b0827d8 | Dannon Baker | 11 December 2014, 14:50:35 UTC | Merged in davebgx/galaxy-central/stable (pull request #603) [STABLE] Escape anything that could be user input in my assigned mako templates, add markupsafe.escape to username and email in users API controller. | 11 December 2014, 14:50:35 UTC |
6d171f9 | Nate Coraor | 11 December 2014, 14:00:20 UTC | Update tag latest_2014.10.06 for changeset 212e1d5e9be5 | 11 December 2014, 14:00:20 UTC |
db2e802 | Martin Cech | 10 December 2014, 23:28:45 UTC | Merge | 10 December 2014, 23:28:45 UTC |
3457cea | Dave Bouvier | 10 December 2014, 17:49:42 UTC | Revert html escaping in API controller, per input on pull request. | 10 December 2014, 17:49:42 UTC |
c8e7f46 | John Chilton | 10 December 2014, 17:20:55 UTC | Merged in dannon/galaxy-central/stable (pull request #602) [STABLE] Force sanitization of form.title and form.name. Header needs more digging; we actually use html content in the field. | 10 December 2014, 17:20:55 UTC |
69ff467 | Dave Bouvier | 10 December 2014, 16:31:21 UTC | Escape anything that could be user input in mako templates, add markupsafe.escape to username and email in users API controller. | 10 December 2014, 16:31:21 UTC |
277c47f | Dannon Baker | 09 December 2014, 20:44:08 UTC | Additionally sanitize form input fields (label, name, etc.) | 09 December 2014, 20:44:08 UTC |
59ef82e | Dannon Baker | 09 December 2014, 19:46:03 UTC | Force sanitization of form.title and form.name. Header needs more digging; we actually use html content in the field. | 09 December 2014, 19:46:03 UTC |
9dddf84 | Nate Coraor | 09 December 2014, 19:00:15 UTC | Update tag latest_2014.10.06 for changeset 3e7adbbe91a0 | 09 December 2014, 19:00:15 UTC |
89ba08e | Martin Cech | 09 December 2014, 18:41:41 UTC | Merge | 09 December 2014, 18:41:41 UTC |
b0d0245 | John Chilton | 09 December 2014, 14:31:53 UTC | Merged in dannon/galaxy-central/stable (pull request #596) [STABLE] Grafts of next-stable commits for security release. | 09 December 2014, 14:31:53 UTC |
1add607 | Nate Coraor | 09 December 2014, 14:00:15 UTC | Update tag latest_2014.10.06 for changeset 782cf1a1f6b5 | 09 December 2014, 14:00:15 UTC |
ebdbda1 | Dannon Baker | 08 December 2014, 22:16:21 UTC | One more place we shouldn't trust user_email. | 08 December 2014, 22:16:21 UTC |
9085fde | Martin Cech | 08 December 2014, 22:10:20 UTC | Merge | 08 December 2014, 22:10:20 UTC |
6efd00a | Dannon Baker | 08 December 2014, 22:06:25 UTC | Merged in carlfeberhard/carlfeberhard-galaxy-central-stable/stable (pull request #600) [STABLE] Fix to 04a072e to use the correct mako method in the masthead. | 08 December 2014, 22:06:25 UTC |
4a7156d | Carl Eberhard | 08 December 2014, 21:47:33 UTC | Fix to 04a072e: use proper mako dict method instead of printing json string | 08 December 2014, 21:47:33 UTC |
9177dd4 | Martin Cech | 08 December 2014, 21:27:18 UTC | typo in escaping | 08 December 2014, 21:27:18 UTC |
b2012a8 | Martin Cech | 08 December 2014, 21:02:12 UTC | encode dataset, ldda, folder and library IDs properly in some more places | 08 December 2014, 21:02:12 UTC |
aa65483 | Dannon Baker | 08 December 2014, 20:22:53 UTC | Merged in dan/galaxy-central-prs/stable (pull request #597) [STABLE] HTML escape user-settable values in Data Libraries. Update tests to reflect that e.g. quotes are now html escaped within pages. Eliminate the unnecessary use of Params() object for these controllers. | 08 December 2014, 20:22:53 UTC |
3453ac9 | Dannon Baker | 08 December 2014, 19:11:14 UTC | Merged in guerler/guerler-galaxy-central/stable (pull request #598) Security fixes for assigned templates | 08 December 2014, 19:11:14 UTC |
c9dae2a | Aysam Guerler | 08 December 2014, 19:00:57 UTC | Use h instead of escape for sanitization | 08 December 2014, 19:00:57 UTC |
b219af0 | Daniel Blankenberg | 08 December 2014, 17:27:48 UTC | HTML escape user-settable values in Data Libraries. Update tests to reflect that e.g. quotes are now html escaped within pages. Eliminate the unnecessary use of Params() object for these controllers. | 08 December 2014, 17:27:48 UTC |
ff1c26f | Dannon Baker | 08 December 2014, 16:44:52 UTC | Merged in carlfeberhard/carlfeberhard-galaxy-central-stable/stable (pull request #594) [STABLE] Next-stable security fixes to stable. | 08 December 2014, 16:44:52 UTC |
207a2d7 | John Chilton | 08 December 2014, 16:11:26 UTC | More sanitization related to sharing objects. | 08 December 2014, 16:11:26 UTC |
bb86c98 | John Chilton | 08 December 2014, 16:11:26 UTC | Sanitize user generated values in tool_executed.mako. | 08 December 2014, 16:11:26 UTC |
db1e0de | John Chilton | 08 December 2014, 16:11:26 UTC | More sanitization of tool ids during tool related activities. | 08 December 2014, 16:11:26 UTC |
1c7f48b | John Chilton | 08 December 2014, 16:11:26 UTC | Sanitize error message when unsharing history. | 08 December 2014, 16:11:26 UTC |
4cd139a | John Chilton | 08 December 2014, 16:11:26 UTC | Some comments to clarify working santization. | 08 December 2014, 16:11:26 UTC |
84f094d | John Chilton | 08 December 2014, 16:11:26 UTC | One last fix for workflow/list.mako. | 08 December 2014, 16:11:26 UTC |
3963955 | John Chilton | 08 December 2014, 16:11:26 UTC | Sanitize user e-mail in workflow sharing actions. | 08 December 2014, 16:11:26 UTC |
1d0a7c1 | John Chilton | 08 December 2014, 16:11:26 UTC | Sanitization for workflows_for_run.mako. | 08 December 2014, 16:11:26 UTC |
656f058 | John Chilton | 08 December 2014, 16:11:26 UTC | Sanitize values in switching data parameter form. | 08 December 2014, 16:11:26 UTC |
7391d1b | John Chilton | 08 December 2014, 16:11:26 UTC | Sanitize workflow and dataset names in run_complete.mako. | 08 December 2014, 16:11:26 UTC |
c66b64e | John Chilton | 08 December 2014, 16:11:26 UTC | Sanitize workflow names in tool menu. | 08 December 2014, 16:11:26 UTC |
034d890 | John Chilton | 08 December 2014, 16:11:26 UTC | Sanitize all values in configure_menu.mako. | 08 December 2014, 16:11:26 UTC |
fdc227b | John Chilton | 08 December 2014, 16:11:25 UTC | More workflow template sanitization during rename, copy, delete. | 08 December 2014, 16:11:25 UTC |
540ca4f | John Chilton | 08 December 2014, 16:11:25 UTC | Sanitize incoming workflow annotations during imports. | 08 December 2014, 16:11:25 UTC |
8f3d4e1 | John Chilton | 08 December 2014, 16:11:25 UTC | Sanitize workflow name and tool ids when running workflow with missing tools. | 08 December 2014, 16:11:25 UTC |
688613b | John Chilton | 08 December 2014, 16:11:25 UTC | More sanitizing of workflow name and tool information during import. | 08 December 2014, 16:11:25 UTC |
1450e07 | John Chilton | 08 December 2014, 16:11:25 UTC | More sanitization while handling fields from an imported workflow. | 08 December 2014, 16:11:25 UTC |
36a1222 | John Chilton | 08 December 2014, 16:11:25 UTC | Sanitize tool id, name, and version during workflow import. | 08 December 2014, 16:11:25 UTC |
c794299 | John Chilton | 08 December 2014, 16:11:25 UTC | Sanitize workflow name in myexperiment export. On the off chance that XML file ever gets interpreted as HTML. Shouldn't hurt anything for well behaved workflow names. | 08 December 2014, 16:11:25 UTC |
373516c | John Chilton | 08 December 2014, 16:11:25 UTC | Sanitize workflow name in message when extracting workflow from history. | 08 December 2014, 16:11:25 UTC |
fec116c | John Chilton | 08 December 2014, 16:11:25 UTC | More sanitization in workflow display.mako. | 08 December 2014, 16:11:25 UTC |
683ed19 | John Chilton | 08 December 2014, 16:11:25 UTC | Sanitize workflow run.mako parameters not sanitized by tooling code. | 08 December 2014, 16:11:25 UTC |
c8a71c7 | John Chilton | 08 December 2014, 16:11:25 UTC | Sanitize display of workflow parameters in workflow run.mako. | 08 December 2014, 16:11:25 UTC |
f2024d6 | John Chilton | 08 December 2014, 16:11:25 UTC | Sanitize workflow and input dataset names in workflow run.mako. | 08 December 2014, 16:11:25 UTC |
ea49e2f | Nate Coraor | 05 December 2014, 21:00:16 UTC | Update tag latest_2014.10.06 for changeset 8e45b1cefba1 | 05 December 2014, 21:00:16 UTC |
ed8fcdb | John Chilton | 05 December 2014, 16:57:27 UTC | Merged in martenson/galaxy-central-marten/stable (pull request #592) [STABLE] disable mobile version of the website | 05 December 2014, 16:57:27 UTC |
fc6e7b0 | Martin Cech | 05 December 2014, 16:54:22 UTC | Merged in natefoo/galaxy-central/stable (pull request #588) [STABLE] XSS fixes for remaining user templates and a few other security fixes | 05 December 2014, 16:54:22 UTC |
d642727 | Martin Cech | 05 December 2014, 16:49:14 UTC | Merged in dan/galaxy-central-prs/stable (pull request #593) [STABLE] Some web sanitization for Data Managers and Biostar redirect. | 05 December 2014, 16:49:14 UTC |
902d961 | Daniel Blankenberg | 04 December 2014, 21:14:28 UTC | Some web sanitization for Data Managers and Biostar redirect. | 04 December 2014, 21:14:28 UTC |
77cf30a | Dannon Baker | 04 December 2014, 20:27:19 UTC | Disable search interface for right now -- I made it not broken in the previous commit, but nobody should be using this yet. | 04 December 2014, 20:27:19 UTC |
dcee482 | Dannon Baker | 04 December 2014, 20:23:35 UTC | Fix search to work for at least datasets, hdas, etc. | 04 December 2014, 20:23:35 UTC |
daf3cc7 | Dannon Baker | 04 December 2014, 18:10:37 UTC | Catch ValueError and actually log it instead of blowing up w/ invalid dataset_id. Raise httpexception. | 04 December 2014, 18:10:37 UTC |
4c5f4e6 | Dannon Baker | 04 December 2014, 17:05:07 UTC | Don't trust user email rendered into page unescaped for Raven. | 04 December 2014, 17:05:07 UTC |
b99e462 | Martin Cech | 04 December 2014, 17:00:38 UTC | Mobile version of galaxy at /mobile can't be navigated (many dead links etc.), the templates/controllers are completely unescaped so I am disabling it completely for now, until we fix or remove it. Redirect to index from every used URL. | 04 December 2014, 17:00:38 UTC |
5c367df | Dannon Baker | 04 December 2014, 16:51:46 UTC | Remove unused cloud/run.mako; all functionality is rolled into cloud/index. | 04 December 2014, 16:51:46 UTC |
e763ca5 | Nate Coraor | 04 December 2014, 16:00:22 UTC | Update tag latest_2014.10.06 for changeset 9c482e1d9b3c | 04 December 2014, 16:00:22 UTC |
ef9d1fe | Daniel Blankenberg | 03 December 2014, 21:52:56 UTC | Fix for DynamicOptions AdditionalValueFilter when columns have not been assigned and to give value preference over name. | 03 December 2014, 21:52:56 UTC |
6c38d0f | Nate Coraor | 04 December 2014, 14:20:19 UTC | Merged in dan/galaxy-central-prs/stable (pull request #584) [STABLE] DatasetMatcher should check to see if hda is of the correct format before attempting to filter on e.g. metadata attributes (that may not exist for a non-expected format). | 04 December 2014, 14:20:19 UTC |
119ff96 | Nate Coraor | 04 December 2014, 14:00:18 UTC | Update tag latest_2014.10.06 for changeset 0e663285c743 | 04 December 2014, 14:00:18 UTC |
8715900 | Nate Coraor | 03 December 2014, 20:57:58 UTC | Remaining user function template XSS cleanup. Also fix login redirection security in the OpenID methods. | 03 December 2014, 20:57:58 UTC |
497c7fc | Dannon Baker | 03 December 2014, 19:15:51 UTC | Merged in martenson/galaxy-central-marten/stable (pull request #585) [STABLE] propagate the commit of 795336f22d8b94b86256b1d4738ee1bf24e18b57 that is already in next-stable to the stable | 03 December 2014, 19:15:51 UTC |