aboutsummaryrefslogtreecommitdiff
path: root/lava_scheduler_app/templates/lava_scheduler_app/job_submit.html
diff options
context:
space:
mode:
authorRĂ©mi Duraffort <remi.duraffort@linaro.org>2018-06-15 15:23:15 +0200
committerNeil Williams <neil.williams@linaro.org>2018-06-15 16:20:25 +0100
commit95a9a77b144ced24d7425d6544ab03ca7f6c75d3 (patch)
tree88ecb784235e5bd7d6a33a47eff4ddd44107151d /lava_scheduler_app/templates/lava_scheduler_app/job_submit.html
parent661cda0b5d8176dfcff6f4324a35b894e0d9e174 (diff)
downloadlava-95a9a77b144ced24d7425d6544ab03ca7f6c75d3.tar.gz
Remove the ability to past URLs in the submit page
This functionality had introduced a security vulnerability in lava-server. A user can forge a http request that will force lava-server-gunicorn to return any file on the server that is: * readable by lavaserver * valid yaml This bug was found by running bandit (https://github.com/PyCQA/bandit). Change-Id: Ie6876bbb4d8dad210d63d2655356bb863a592b41
Diffstat (limited to 'lava_scheduler_app/templates/lava_scheduler_app/job_submit.html')
-rw-r--r--lava_scheduler_app/templates/lava_scheduler_app/job_submit.html7
1 files changed, 2 insertions, 5 deletions
diff --git a/lava_scheduler_app/templates/lava_scheduler_app/job_submit.html b/lava_scheduler_app/templates/lava_scheduler_app/job_submit.html
index 7068e68b5..9cfb137b3 100644
--- a/lava_scheduler_app/templates/lava_scheduler_app/job_submit.html
+++ b/lava_scheduler_app/templates/lava_scheduler_app/job_submit.html
@@ -45,12 +45,12 @@
<p>To view the full job list click <a href="{{ list_url }}">here</a>.</p>
{% else %}
-<p>Paste your job definition here. Alternatively, you can paste a URL to your job definition file.</p>
+<p>Paste your job definition here.</p>
<form action="" method="post">
{% csrf_token %}
<div>
- <textarea id="definition-input" name="definition-input" placeholder="Enter your job definition or link to a job definition here.">{{ definition_input }}</textarea>
+ <textarea id="definition-input" name="definition-input" placeholder="Enter your job definition here.">{{ definition_input }}</textarea>
<div id="busyIndicator"></div>
<div>
<div id="valid_container">
@@ -80,9 +80,6 @@
{% block scripts %}
<script type="text/javascript" src="{{ STATIC_URL }}lava_scheduler_app/js/jquery-linedtextarea.min.js"></script>
-<script type="text/javascript">
- var remote_definition_url = '{% url 'lava.scheduler.get_remote_definition' %}';
-</script>
{% if not job_id %}
<script type="text/javascript" src="{{ STATIC_URL }}lava_scheduler_app/js/job-submit.min.js"></script>
{% endif %}