[tokkee]

tokkee.org

Code

projects / roundup.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Plug a number of security holes:
[roundup.git] / roundup / configuration.py
diff --git a/roundup/configuration.py b/roundup/configuration.py
index 8d03f7bb3e299752864a3c37e96f57ee99287130..b6571b01449fc8ac1ae5da635a5b9faf0bbd88e4 100644 (file)
--- a/roundup/configuration.py
+++ b/roundup/configuration.py
@@ -551,6 +551,11 @@ SETTINGS = (
             "or LANG, in that order of preference."),
     )),
     ("web", (
+        (BooleanOption, "allow_html_file", "no",
+            "Setting this option enables Roundup to serve uploaded HTML\n"
+            "file content *as HTML*. This is a potential security risk\n"
+            "and is therefore disabled by default. Set to 'yes' if you\n"
+            "trust *all* users uploading content to your tracker."),
         (BooleanOption, 'http_auth', "yes",
             "Whether to use HTTP Basic Authentication, if present.\n"
             "Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION\n"
Roundup Issue Tracker (SVN clone)