- Ignore confirm set() fields by themselves in the absence of non-"confirm"

Richard Jones · Richard Jones · commit 097c37ab2a6c · 2011-11-07T13:59:43.000+11:00
values; otherwise a bare confirm field can be used to change the a
  password. Reported by Cam Blackwood.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -43,6 +43,10 @@ Fixed:
   we now have a regression test. We now take care that bounce-messages
   for incoming encrypted mails or mails where the policy dictates that
   outgoing traffic should be encrypted is actually pgp-encrypted. (Ralf)
+- Ignore confirm set() fields by themselves in the absence of non-"confirm"
+  values; otherwise a bare confirm field can be used to change the a
+  password. Reported by Cam Blackwood.
+
 
 2011-07-15 1.4.19
 
diff --git a/roundup/cgi/form_parser.py b/roundup/cgi/form_parser.py
@@ -369,6 +369,9 @@ def parse(self, create=0, num_re=re.compile('^\d+$')):
                 if not value:
                     # ignore empty password values
                     continue
+                if d['confirm']:
+                    # ignore the "confirm" password value by itself
+                    continue
                 for key, d in matches:
                     if d['confirm'] and d['propname'] == propname:
                         confirm = form[key]
