You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Feb 8, 2018. It is now read-only.
Stacktrace (most recent call last):
File "aspen/website.py", line 76, in handle_safely
response = self.handle(request)
File "aspen/website.py", line 109, in handle
response = request.resource.respond(request)
File "aspen/resources/dynamic_resource.py", line 47, in respond
exec self.pages[1] in context
File "/app/www/on/twitter/%screen_name/index.html.spt", line 18, in <module>
user_info = twitter.get_user_info(path['screen_name'])
File "gittip/elsewhere/twitter.py", line 61, in get_user_info
user_info = requests.get(url % screen_name, auth=oauth)
File "requests/api.py", line 55, in get
return request('get', url, **kwargs)
File "requests/api.py", line 44, in request
return session.request(method=method, url=url, **kwargs)
File "requests/sessions.py", line 324, in request
prep = req.prepare()
File "requests/models.py", line 226, in prepare
p.prepare_auth(self.auth, self.url)
File "requests/models.py", line 428, in prepare_auth
r = auth(self)
File "requests_oauthlib/core.py", line 65, in __call__
unicode(r.url), unicode(r.method), None, r.headers)
File "oauthlib/oauth1/rfc5849/__init__.py", line 233, in sign
encoding=self.encoding)
File "oauthlib/common.py", line 365, in __init__
self._params.update(dict(urldecode(self.uri_query)))
File "oauthlib/common.py", line 135, in urldecode
raise ValueError('Not a valid urlencoded string.')
ValueError: Not a valid urlencoded string.
The request causing this is for /on/twitter/"><img src=x onerror=confirm("XSS");>/ and we use this twitter username for request to https://api.twitter.com/1.1/users/show.json?screen_name=%s without any escaping. Should we do urlencode on the twitter names? What does twitter allow in usernames?
The text was updated successfully, but these errors were encountered:
https://app.getsentry.com/gittip/gittip/group/6116674/
The request causing this is for
/on/twitter/"><img src=x onerror=confirm("XSS");>/
and we use this twitter username for request tohttps://api.twitter.com/1.1/users/show.json?screen_name=%s
without any escaping. Should we do urlencode on the twitter names? What does twitter allow in usernames?The text was updated successfully, but these errors were encountered: