You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2014/09/29 18:17:53 UTC
[22/27] git commit: [#7657] prevent users from crafting HTML form
param to get admin mode of _update_emails
[#7657] prevent users from crafting HTML form param to get admin mode of _update_emails
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/492bf8e4
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/492bf8e4
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/492bf8e4
Branch: refs/heads/db/7657
Commit: 492bf8e467dd2973804b3203aa0a81848acef0e1
Parents: ae1dc97
Author: Dave Brondsema <db...@slashdotmedia.com>
Authored: Fri Sep 26 18:46:31 2014 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Fri Sep 26 18:46:31 2014 +0000
----------------------------------------------------------------------
Allura/allura/controllers/auth.py | 6 ++++--
Allura/allura/controllers/site_admin.py | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/492bf8e4/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 87908b8..4d2fb7c 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -434,7 +434,9 @@ class PreferencesController(BaseController):
menu = provider.account_navigation()
return dict(menu=menu, user=c.user)
- def _update_emails(self, user, admin=False, **kw):
+ def _update_emails(self, user, admin=False, form_params={}):
+ # not using **kw in method signature, to ensure 'admin' can't be passed in via a form submit
+ kw = form_params
addr = kw.pop('addr', None)
new_addr= kw.pop('new_addr', None)
primary_addr = kw.pop('primary_addr', None)
@@ -498,7 +500,7 @@ class PreferencesController(BaseController):
@require_post()
def update_emails(self, **kw):
if asbool(config.get('auth.allow_edit_prefs', True)):
- self._update_emails(c.user, **kw)
+ self._update_emails(c.user, form_params=kw)
redirect('.')
@h.vardec
http://git-wip-us.apache.org/repos/asf/allura/blob/492bf8e4/Allura/allura/controllers/site_admin.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/site_admin.py b/Allura/allura/controllers/site_admin.py
index 335a0e6..7090343 100644
--- a/Allura/allura/controllers/site_admin.py
+++ b/Allura/allura/controllers/site_admin.py
@@ -560,7 +560,7 @@ class AdminUserDetailsController(object):
user = M.User.by_username(username)
if not user or user.is_anonymous():
raise HTTPNotFound()
- allura.controllers.auth.PreferencesController()._update_emails(user, admin=True, **kw)
+ allura.controllers.auth.PreferencesController()._update_emails(user, admin=True, form_params=kw)
redirect(request.referer)