This commit is contained in:
cbartondock 2021-10-31 08:29:27 -04:00
commit a0cebfbfb1
6 changed files with 154 additions and 195 deletions

View file

@ -37,9 +37,9 @@ Calibre-Web is a web app providing a clean interface for browsing, reading and d
- "Magic Link" login to make it easy to log on eReaders
- Login via LDAP, google/github oauth and via proxy authentication
## Quick start
## Installation
#### Install via pip
#### Installation via pip (recommended)
1. Install calibre web via pip with the command `pip install calibreweb` (Depending on your OS and or distro the command could also be `pip3`).
2. Optional features can also be installed via pip, please refer to [this page](https://github.com/janeczku/calibre-web/wiki/Dependencies-in-Calibre-Web-Linux-Windows) for details
3. Calibre-Web can be started afterwards by typing `cps` or `python3 -m cps`
@ -47,18 +47,21 @@ Calibre-Web is a web app providing a clean interface for browsing, reading and d
#### Manual installation
1. Install dependencies by running `pip3 install --target vendor -r requirements.txt` (python3.x). Alternativly set up a python virtual environment.
2. Execute the command: `python3 cps.py` (or `nohup python3 cps.py` - recommended if you want to exit the terminal window)
Issues with Ubuntu:
Please note that running the above install command can fail on some versions of Ubuntu, saying `"can't combine user with prefix"`. This is a [known bug](https://github.com/pypa/pip/issues/3826) and can be remedied by using the command `pip install --system --target vendor -r requirements.txt` instead.
## Quick start
Point your browser to `http://localhost:8083` or `http://localhost:8083/opds` for the OPDS catalog
Set `Location of Calibre database` to the path of the folder where your Calibre library (metadata.db) lives, push "submit" button\
Optionally a Google Drive can be used to host the calibre library [-> Using Google Drive integration](https://github.com/janeczku/calibre-web/wiki/Configuration#using-google-drive-integration)
Go to Login page
**Default admin login:**\
#### Default admin login:
*Username:* admin\
*Password:* admin123
**Issues with Ubuntu:**
Please note that running the above install command can fail on some versions of Ubuntu, saying `"can't combine user with prefix"`. This is a [known bug](https://github.com/pypa/pip/issues/3826) and can be remedied by using the command `pip install --system --target vendor -r requirements.txt` instead.
## Requirements

View file

@ -3,3 +3,27 @@
## Reporting a Vulnerability
Please report security issues to ozzie.fernandez.isaacs@googlemail.com
## Supported Versions
To receive fixes for security vulnerabilities it is required to always upgrade to the latest version of Calibre-Web. See https://github.com/janeczku/calibre-web/releases/latest for the latest release.
## History
| Fixed in | Description |CVE number |
| ---------- |---------|---------|
| 3rd July 2018 | Guest access acts as a backdoor||
| V 0.6.7 |Hardcoded secret key for sessions |CVE-2020-12627 |
| V 0.6.13|Calibre-Web Metadata cross site scripting |CVE-2021-25964|
| V 0.6.13|Name of Shelves are only visible to users who can access the corresponding shelf Thanks to @ibarrionuevo||
| V 0.6.13|JavaScript could get executed in the description field. Thanks to @ranjit-git ||
| V 0.6.13|JavaScript could get executed in a custom column of type "comment" field ||
| V 0.6.13|JavaScript could get executed after converting a book to another format with a title containing javascript code||
| V 0.6.13|JavaScript could get executed after converting a book to another format with a username containing javascript code||
| V 0.6.13|JavaScript could get executed in the description series, categories or publishers title||
| V 0.6.13|JavaScript could get executed in the shelf title||
| V 0.6.13|Login with the old session cookie after logout. Thanks to @ibarrionuevo||
| V 0.6.14|CSRF was possible. Thanks to @mik317 ||
| V 0.6.14|Cross-Site Scripting vulnerability on typeahead inputs. Thanks to @notdodo||

View file

@ -151,7 +151,7 @@ def selected_roles(dictionary):
BookMeta = namedtuple('BookMeta', 'file_path, extension, title, author, cover, description, tags, series, '
'series_id, languages, publisher')
STABLE_VERSION = {'version': '0.6.14 Beta'}
STABLE_VERSION = {'version': '0.6.15 Beta'}
NIGHTLY_VERSION = {}
NIGHTLY_VERSION[0] = '$Format:%H$'

View file

@ -1,5 +1,5 @@
# GDrive Integration
gevent>20.6.0,<21.2.0
gevent>20.6.0,<22.0.0
greenlet>=0.4.17,<1.2.0
httplib2>=0.9.2,<0.20.0
oauth2client>=4.0.0,<4.1.4

View file

@ -18,6 +18,7 @@ classifiers =
Development Status :: 5 - Production/Stable
License :: OSI Approved :: GNU Affero General Public License v3
Programming Language :: Python :: 3
Programming Language :: Python :: 3.5
Programming Language :: Python :: 3.6
Programming Language :: Python :: 3.7
Programming Language :: Python :: 3.8
@ -56,7 +57,7 @@ install_requires =
[options.extras_require]
gdrive =
google-api-python-client>=1.7.11,<2.1.0
gevent>20.6.0,<21.2.0
gevent>20.6.0,<22.0.0
greenlet>=0.4.17,<1.2.0
httplib2>=0.9.2,<0.20.0
oauth2client>=4.0.0,<4.1.4

View file

@ -37,20 +37,20 @@
<div class="row">
<div class="col-xs-6 col-md-6 col-sm-offset-3" style="margin-top:50px;">
<p class='text-justify attribute'><strong>Start Time: </strong>2021-10-29 07:17:17</p>
<p class='text-justify attribute'><strong>Start Time: </strong>2021-10-30 19:49:15</p>
</div>
</div>
<div class="row">
<div class="col-xs-6 col-md-6 col-sm-offset-3">
<p class='text-justify attribute'><strong>Stop Time: </strong>2021-10-29 10:46:29</p>
<p class='text-justify attribute'><strong>Stop Time: </strong>2021-10-30 23:31:02</p>
</div>
</div>
<div class="row">
<div class="col-xs-6 col-md-6 col-sm-offset-3">
<p class='text-justify attribute'><strong>Duration: </strong>2h 49 min</p>
<p class='text-justify attribute'><strong>Duration: </strong>3h 2 min</p>
</div>
</div>
</div>
@ -378,13 +378,13 @@
<tr id="su" class="failClass">
<tr id="su" class="passClass">
<td>TestDeleteDatabase</td>
<td class="text-center">1</td>
<td class="text-center">0</td>
<td class="text-center">1</td>
<td class="text-center">0</td>
<td class="text-center">0</td>
<td class="text-center">0</td>
<td class="text-center">
<a onclick="showClassDetail('c5', 1)">Detail</a>
</td>
@ -392,32 +392,11 @@
<tr id="ft5.1" class="none bg-danger">
<tr id='pt5.1' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestDeleteDatabase - test_delete_books_in_database</div>
</td>
<td colspan='6'>
<div class="text-center">
<a class="popup_link text-center" onfocus='blur()' onclick="showTestDetail('div_ft5.1')">FAIL</a>
</div>
<!--css div popup start-->
<div id="div_ft5.1" class="popup_window test_output" style="display:block;">
<div class='close_button pull-right'>
<button type="button" class="close" aria-label="Close" onfocus="this.blur();"
onclick="document.getElementById('div_ft5.1').style.display='none'"><span
aria-hidden="true">&times;</span></button>
</div>
<div class="text-left pull-left">
<pre class="text-left">Traceback (most recent call last):
File &#34;/home/ozzie/Development/calibre-web-test/test/test_delete_database.py&#34;, line 77, in test_delete_books_in_database
self.assertEqual(&#34;&#34;, bl[&#39;table&#39;][0][&#39;selector&#39;][&#39;text&#39;])
AssertionError: &#39;&#39; != &#39;No matching records found&#39;
+ No matching records found</pre>
</div>
<div class="clearfix"></div>
</div>
<!--css div popup end-->
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
@ -1240,15 +1219,15 @@ AssertionError: &#39;&#39; != &#39;No matching records found&#39;
<tr id="su" class="failClass">
<tr id="su" class="passClass">
<td>TestEditBooksList</td>
<td class="text-center">10</td>
<td class="text-center">9</td>
<td class="text-center">1</td>
<td class="text-center">18</td>
<td class="text-center">18</td>
<td class="text-center">0</td>
<td class="text-center">0</td>
<td class="text-center">0</td>
<td class="text-center">
<a onclick="showClassDetail('c12', 10)">Detail</a>
<a onclick="showClassDetail('c12', 18)">Detail</a>
</td>
</tr>
@ -1274,7 +1253,7 @@ AssertionError: &#39;&#39; != &#39;No matching records found&#39;
<tr id='pt12.3' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_languages</div>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_comment</div>
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
@ -1283,7 +1262,7 @@ AssertionError: &#39;&#39; != &#39;No matching records found&#39;
<tr id='pt12.4' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_publisher</div>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_cust_category</div>
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
@ -1292,7 +1271,7 @@ AssertionError: &#39;&#39; != &#39;No matching records found&#39;
<tr id='pt12.5' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_series</div>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_cust_comment</div>
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
@ -1301,7 +1280,7 @@ AssertionError: &#39;&#39; != &#39;No matching records found&#39;
<tr id='pt12.6' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_seriesindex</div>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_cust_enum</div>
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
@ -1309,6 +1288,78 @@ AssertionError: &#39;&#39; != &#39;No matching records found&#39;
<tr id='pt12.7' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_cust_float</div>
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
<tr id='pt12.8' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_cust_int</div>
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
<tr id='pt12.9' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_cust_ratings</div>
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
<tr id='pt12.10' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_cust_text</div>
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
<tr id='pt12.11' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_languages</div>
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
<tr id='pt12.12' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_publisher</div>
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
<tr id='pt12.13' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_series</div>
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
<tr id='pt12.14' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_seriesindex</div>
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
<tr id='pt12.15' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_bookslist_edit_title</div>
</td>
@ -1317,36 +1368,16 @@ AssertionError: &#39;&#39; != &#39;No matching records found&#39;
<tr id="ft12.8" class="none bg-danger">
<tr id='pt12.16' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_list_visibility</div>
</td>
<td colspan='6'>
<div class="text-center">
<a class="popup_link text-center" onfocus='blur()' onclick="showTestDetail('div_ft12.8')">FAIL</a>
</div>
<!--css div popup start-->
<div id="div_ft12.8" class="popup_window test_output" style="display:block;">
<div class='close_button pull-right'>
<button type="button" class="close" aria-label="Close" onfocus="this.blur();"
onclick="document.getElementById('div_ft12.8').style.display='none'"><span
aria-hidden="true">&times;</span></button>
</div>
<div class="text-left pull-left">
<pre class="text-left">Traceback (most recent call last):
File &#34;/home/ozzie/Development/calibre-web-test/test/test_edit_books_list.py&#34;, line 287, in test_list_visibility
self.assertEqual(9, len(bl[&#39;column_elements&#39;]))
AssertionError: 9 != 17</pre>
</div>
<div class="clearfix"></div>
</div>
<!--css div popup end-->
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
<tr id='pt12.9' class='hiddenRow bg-success'>
<tr id='pt12.17' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_restricted_rights</div>
</td>
@ -1355,7 +1386,7 @@ AssertionError: 9 != 17</pre>
<tr id='pt12.10' class='hiddenRow bg-success'>
<tr id='pt12.18' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksList - test_search_books_list</div>
</td>
@ -1365,11 +1396,11 @@ AssertionError: 9 != 17</pre>
<tr id="su" class="failClass">
<tr id="su" class="passClass">
<td>TestEditBooksOnGdrive</td>
<td class="text-center">20</td>
<td class="text-center">19</td>
<td class="text-center">1</td>
<td class="text-center">20</td>
<td class="text-center">0</td>
<td class="text-center">0</td>
<td class="text-center">0</td>
<td class="text-center">
@ -1550,31 +1581,11 @@ AssertionError: 9 != 17</pre>
<tr id="ft13.20" class="none bg-danger">
<tr id='pt13.20' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestEditBooksOnGdrive - test_watch_metadata</div>
</td>
<td colspan='6'>
<div class="text-center">
<a class="popup_link text-center" onfocus='blur()' onclick="showTestDetail('div_ft13.20')">FAIL</a>
</div>
<!--css div popup start-->
<div id="div_ft13.20" class="popup_window test_output" style="display:block;">
<div class='close_button pull-right'>
<button type="button" class="close" aria-label="Close" onfocus="this.blur();"
onclick="document.getElementById('div_ft13.20').style.display='none'"><span
aria-hidden="true">&times;</span></button>
</div>
<div class="text-left pull-left">
<pre class="text-left">Traceback (most recent call last):
File &#34;/home/ozzie/Development/calibre-web-test/test/test_edit_ebooks_gdrive.py&#34;, line 928, in test_watch_metadata
self.assertNotIn(&#39;series&#39;, book)
AssertionError: &#39;series&#39; unexpectedly found in {&#39;id&#39;: 5, &#39;reader&#39;: [], &#39;title&#39;: &#39;testbook&#39;, &#39;author&#39;: [&#39;John Döe&#39;], &#39;rating&#39;: 0, &#39;languages&#39;: [&#39;English&#39;], &#39;identifier&#39;: [], &#39;cover&#39;: &#39;/cover/5?edit=7a19f85c-19e9-45b0-ba12-3c54b9b88d6d&#39;, &#39;tag&#39;: [], &#39;publisher&#39;: [&#39;Randomhäus&#39;], &#39;pubdate&#39;: &#39;Jan 19, 2017&#39;, &#39;comment&#39;: &#39;Lorem ipsum dolor sit amet, consectetuer adipiscing elit.Aenean commodo ligula eget dolor.Aenean massa.Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus.Donec quam felis, ultricies nec, pellentesque eu, pretium quis, sem.Nulla consequat massa quis enim.Donec pede justo, fringilla vel, aliquet nec, vulputate&#39;, &#39;add_shelf&#39;: [], &#39;del_shelf&#39;: [], &#39;edit_enable&#39;: True, &#39;kindle&#39;: None, &#39;kindlebtn&#39;: None, &#39;download&#39;: [&#39;EPUB (6.7 kB)&#39;], &#39;read&#39;: False, &#39;archived&#39;: False, &#39;series_all&#39;: &#39;Book 1 of test&#39;, &#39;series_index&#39;: &#39;1&#39;, &#39;series&#39;: &#39;test&#39;, &#39;cust_columns&#39;: []}</pre>
</div>
<div class="clearfix"></div>
</div>
<!--css div popup end-->
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
@ -1943,12 +1954,12 @@ AssertionError: &#39;series&#39; unexpectedly found in {&#39;id&#39;: 5, &#39;re
<tr id="su" class="errorClass">
<tr id="su" class="passClass">
<td>TestKoboSyncBig</td>
<td class="text-center">4</td>
<td class="text-center">1</td>
<td class="text-center">1</td>
<td class="text-center">2</td>
<td class="text-center">4</td>
<td class="text-center">0</td>
<td class="text-center">0</td>
<td class="text-center">0</td>
<td class="text-center">
<a onclick="showClassDetail('c22', 4)">Detail</a>
@ -1957,60 +1968,20 @@ AssertionError: &#39;series&#39; unexpectedly found in {&#39;id&#39;: 5, &#39;re
<tr id="et22.1" class="none bg-info">
<tr id='pt22.1' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestKoboSyncBig - test_kobo_sync_selected_shelfs</div>
</td>
<td colspan='6'>
<div class="text-center">
<a class="popup_link text-center" onfocus='blur()' onclick="showTestDetail('div_et22.1')">ERROR</a>
</div>
<!--css div popup start-->
<div id="div_et22.1" class="popup_window test_output" style="display:block;">
<div class='close_button pull-right'>
<button type="button" class="close" aria-label="Close" onfocus="this.blur();"
onclick="document.getElementById('div_et22.1').style.display='none'"><span
aria-hidden="true">&times;</span></button>
</div>
<div class="text-left pull-left">
<pre class="text-left">Traceback (most recent call last):
File &#34;/home/ozzie/Development/calibre-web-test/test/test_kobo_sync_big.py&#34;, line 278, in test_kobo_sync_selected_shelfs
self.assertIn(&#34;NewTag&#34;, data3[2])
IndexError: list index out of range</pre>
</div>
<div class="clearfix"></div>
</div>
<!--css div popup end-->
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
<tr id="et22.2" class="none bg-info">
<tr id='pt22.2' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestKoboSyncBig - test_sync_changed_book</div>
</td>
<td colspan='6'>
<div class="text-center">
<a class="popup_link text-center" onfocus='blur()' onclick="showTestDetail('div_et22.2')">ERROR</a>
</div>
<!--css div popup start-->
<div id="div_et22.2" class="popup_window test_output" style="display:block;">
<div class='close_button pull-right'>
<button type="button" class="close" aria-label="Close" onfocus="this.blur();"
onclick="document.getElementById('div_et22.2').style.display='none'"><span
aria-hidden="true">&times;</span></button>
</div>
<div class="text-left pull-left">
<pre class="text-left">Traceback (most recent call last):
File &#34;/home/ozzie/Development/calibre-web-test/test/test_kobo_sync_big.py&#34;, line 185, in test_sync_changed_book
self.assertTrue(&#39;ChangedEntitlement&#39; in data[0][0])
IndexError: list index out of range</pre>
</div>
<div class="clearfix"></div>
</div>
<!--css div popup end-->
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
@ -2024,31 +1995,11 @@ IndexError: list index out of range</pre>
<tr id="ft22.4" class="none bg-danger">
<tr id='pt22.4' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestKoboSyncBig - test_sync_shelf</div>
</td>
<td colspan='6'>
<div class="text-center">
<a class="popup_link text-center" onfocus='blur()' onclick="showTestDetail('div_ft22.4')">FAIL</a>
</div>
<!--css div popup start-->
<div id="div_ft22.4" class="popup_window test_output" style="display:block;">
<div class='close_button pull-right'>
<button type="button" class="close" aria-label="Close" onfocus="this.blur();"
onclick="document.getElementById('div_ft22.4').style.display='none'"><span
aria-hidden="true">&times;</span></button>
</div>
<div class="text-left pull-left">
<pre class="text-left">Traceback (most recent call last):
File &#34;/home/ozzie/Development/calibre-web-test/test/test_kobo_sync_big.py&#34;, line 200, in test_sync_shelf
self.assertEqual(1, len(data[0]))
AssertionError: 1 != 0</pre>
</div>
<div class="clearfix"></div>
</div>
<!--css div popup end-->
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
@ -2950,11 +2901,11 @@ AssertionError: 1 != 0</pre>
<tr id="su" class="failClass">
<tr id="su" class="skipClass">
<td>TestShelf</td>
<td class="text-center">13</td>
<td class="text-center">11</td>
<td class="text-center">1</td>
<td class="text-center">12</td>
<td class="text-center">0</td>
<td class="text-center">0</td>
<td class="text-center">1</td>
<td class="text-center">
@ -2973,31 +2924,11 @@ AssertionError: 1 != 0</pre>
<tr id="ft33.2" class="none bg-danger">
<tr id='pt33.2' class='hiddenRow bg-success'>
<td>
<div class='testcase'>TestShelf - test_adv_search_shelf</div>
</td>
<td colspan='6'>
<div class="text-center">
<a class="popup_link text-center" onfocus='blur()' onclick="showTestDetail('div_ft33.2')">FAIL</a>
</div>
<!--css div popup start-->
<div id="div_ft33.2" class="popup_window test_output" style="display:block;">
<div class='close_button pull-right'>
<button type="button" class="close" aria-label="Close" onfocus="this.blur();"
onclick="document.getElementById('div_ft33.2').style.display='none'"><span
aria-hidden="true">&times;</span></button>
</div>
<div class="text-left pull-left">
<pre class="text-left">Traceback (most recent call last):
File &#34;/home/ozzie/Development/calibre-web-test/test/test_shelf.py&#34;, line 447, in test_adv_search_shelf
self.assertEqual(len(self.adv_search({u&#39;exclude_shelf&#39;: u&#39;Search&#39;, &#39;book_title&#39;: &#39;book&#39;})), 5)
AssertionError: 0 != 5</pre>
</div>
<div class="clearfix"></div>
</div>
<!--css div popup end-->
</td>
<td colspan='6' align='center'>PASS</td>
</tr>
@ -4151,10 +4082,10 @@ AssertionError: 0 != 5</pre>
<tr id='total_row' class="text-center bg-grey">
<td>Total</td>
<td>358</td>
<td>345</td>
<td>5</td>
<td>2</td>
<td>366</td>
<td>360</td>
<td>0</td>
<td>0</td>
<td>6</td>
<td>&nbsp;</td>
</tr>
@ -4561,7 +4492,7 @@ AssertionError: 0 != 5</pre>
</div>
<script>
drawCircle(345, 5, 2, 6);
drawCircle(360, 0, 0, 6);
showCase(5);
</script>