SSF-2 Fix vulnerability

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/controllers/comparison_controller.rb b/sonar-server/src/main/webapp/WEB-INF/app/controllers/comparison_controller.rb
index 474663ba3711f95c30fc3774bd7f9603d107ed57..12ae2d490a262eebfb678db79ed7b984b6cc559a 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/controllers/comparison_controller.rb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/controllers/comparison_controller.rb
@@ -39,7 +39,7 @@ class ComparisonController < ApplicationController
       # the request comes from the comparison page: let's compare the given snapshots
       sids = get_params_as_array(:sids)
       unless sids.empty?
-        selected_snapshots = Snapshot.find(:all, :conditions => ['id in (?)', sids])
+        selected_snapshots = Snapshot.all(:conditions => ['id in (?)', sids])
         # next loop is required to keep the order that was decided by the user and which comes from the "sids" parameter
         sids.each do |id|
           selected_snapshots.each do |s|
@@ -99,4 +99,4 @@ class ComparisonController < ApplicationController
     end
   end
 
-end
\ No newline at end of file
+end

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb
index 2d4e1bf0aa751324379d9a9fded88b06c88b6cee..c2d3497228faec96e7f8515fb12b7fd25c0b42a4 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/drilldown/measures.html.erb
@@ -62,7 +62,7 @@
             <tr class="<%= clazz -%>" id="row_<%= index -%>_<%= row_index -%>">
               <td nowrap>
                 <% if resource.source_code? %>
-                  <a href="<%= url_for :controller => 'resource', :action => 'index', :id => resource.key, :period => params[:period], :metric => @metric ? @metric.id : nil, :rule => @rule ? @rule.id : @severity, :display_title => 'true' -%>" 
+                  <a href="<%= url_for :controller => 'resource', :action => 'index', :id => resource.key, :period => @period, :metric => @metric ? @metric.id : nil, :rule => @rule ? @rule.id : @severity, :display_title => 'true' -%>"
                      onclick="window.open(this.href,'resource-<%= resource.key.parameterize -%>','height=800,width=900,scrollbars=1,resizable=1');return false;"
                      id="popup-<%= resource.key.parameterize -%>"
                      target="_blank"><%= image_tag 'new-window-16.gif', :alt => message('new_window') -%></a>

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb
index 363c276bb1724cf5438aea08feaf709cece17008..74bb5a1fdc9f8662ea1a772a0057e796f4eb2bc2 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/layouts/_layout.html.erb
@@ -4,7 +4,7 @@
      selected_section = Navigation::SECTION_HOME
    end
    @project=@resource unless @project || selected_section==Navigation::SECTION_HOME
-   period_param = "period=#{h(params[:period])}" if params[:period]
+   period_param = "period=#{u(params[:period])}" if params[:period]
 %>
 <div id="container">
   <%= yield :header -%>

diff --git a/sonar-server/src/main/webapp/WEB-INF/app/views/project/widgets/issues/_issues_list.html.erb b/sonar-server/src/main/webapp/WEB-INF/app/views/project/widgets/issues/_issues_list.html.erb
index f061f92f74bd0b4b59e2edcc4dddf047cafd25cd..f435afc8b29b665f2f120914e0ea1ba440deb85e 100644 (file)
--- a/sonar-server/src/main/webapp/WEB-INF/app/views/project/widgets/issues/_issues_list.html.erb
+++ b/sonar-server/src/main/webapp/WEB-INF/app/views/project/widgets/issues/_issues_list.html.erb
@@ -79,4 +79,4 @@
     } -%>
   </table>
 
-<% end %>
\ No newline at end of file
+<% end %>