You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2014/09/29 18:17:53 UTC

[22/27] git commit: [#7657] prevent users from crafting HTML form param to get admin mode of _update_emails

[#7657] prevent users from crafting HTML form param to get admin mode of _update_emails


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/492bf8e4
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/492bf8e4
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/492bf8e4

Branch: refs/heads/db/7657
Commit: 492bf8e467dd2973804b3203aa0a81848acef0e1
Parents: ae1dc97
Author: Dave Brondsema <db...@slashdotmedia.com>
Authored: Fri Sep 26 18:46:31 2014 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Fri Sep 26 18:46:31 2014 +0000

----------------------------------------------------------------------
 Allura/allura/controllers/auth.py       | 6 ++++--
 Allura/allura/controllers/site_admin.py | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/492bf8e4/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 87908b8..4d2fb7c 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -434,7 +434,9 @@ class PreferencesController(BaseController):
         menu = provider.account_navigation()
         return dict(menu=menu, user=c.user)
 
-    def _update_emails(self, user, admin=False, **kw):
+    def _update_emails(self, user, admin=False, form_params={}):
+        # not using **kw in method signature, to ensure 'admin' can't be passed in via a form submit
+        kw = form_params
         addr = kw.pop('addr', None)
         new_addr= kw.pop('new_addr', None)
         primary_addr = kw.pop('primary_addr', None)
@@ -498,7 +500,7 @@ class PreferencesController(BaseController):
     @require_post()
     def update_emails(self, **kw):
         if asbool(config.get('auth.allow_edit_prefs', True)):
-            self._update_emails(c.user, **kw)
+            self._update_emails(c.user, form_params=kw)
         redirect('.')
 
     @h.vardec

http://git-wip-us.apache.org/repos/asf/allura/blob/492bf8e4/Allura/allura/controllers/site_admin.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/site_admin.py b/Allura/allura/controllers/site_admin.py
index 335a0e6..7090343 100644
--- a/Allura/allura/controllers/site_admin.py
+++ b/Allura/allura/controllers/site_admin.py
@@ -560,7 +560,7 @@ class AdminUserDetailsController(object):
         user = M.User.by_username(username)
         if not user or user.is_anonymous():
             raise HTTPNotFound()
-        allura.controllers.auth.PreferencesController()._update_emails(user, admin=True, **kw)
+        allura.controllers.auth.PreferencesController()._update_emails(user, admin=True, form_params=kw)
         redirect(request.referer)