Skip to content

Commit 5201843

Browse files
rouiljrouilj
committed
applying upgrade of 1.5.1 -> 1.6.0.
Upgraded login form. Added @csrf tokens to forms using post. Fix security issue by displaying username without escaping html entities. User queries hrefs have their names url quoted which makes multi word queries a valid url.
1 parent bd04f53 commit 5201843

File tree

1 file changed

+13
-4
lines changed

1 file changed

+13
-4
lines changed

website/issues/html/page.html

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -84,14 +84,16 @@ <h1><a href="/">Roundup Tracker - Issues</a></h1>
8484
type="text" name="@number"/>
8585
<input type="hidden" name="@type" value="issue"/>
8686
<input type="hidden" name="@action" value="show"/>
87+
<input name="@csrf" type="hidden"
88+
tal:attributes="value python:utils.anti_csrf_nonce()">
8789
</form>
8890
</li>
8991
</ul>
9092

9193
<ul>
9294
<li tal:condition="python:request.user.username=='anonymous'" class="submenu">
9395
<b i18n:translate="">User</b>
94-
<form method="post" action="#">
96+
<form method="post" tal:attributes="action request/base">
9597
<ul>
9698
<li>
9799
<tal:span i18n:translate="">Login</tal:span><br/>
@@ -101,7 +103,14 @@ <h1><a href="/">Roundup Tracker - Issues</a></h1>
101103
<input type="checkbox" name="remember" id="remember"/>
102104
<label for="remember" i18n:translate="">Remember me?</label><br/>
103105
<input class="form-small" type="submit" value="Login" i18n:attributes="value"/><br/>
104-
<input type="hidden" name="__came_from" tal:attributes="value string:${request/env/PATH_INFO}"/>
106+
<input name="@csrf" type="hidden"
107+
tal:attributes="value python:utils.anti_csrf_nonce()">
108+
<input type="hidden" name="__came_from"
109+
tal:condition="exists:request/env/QUERY_STRING"
110+
tal:attributes="value string:${request/base}${request/env/PATH_INFO}?${request/env/QUERY_STRING}">
111+
<input type="hidden" name="__came_from"
112+
tal:condition="not:exists:request/env/QUERY_STRING"
113+
tal:attributes="value string:${request/base}${request/env/PATH_INFO}">
105114
<span tal:replace="structure request/indexargs_form" />
106115
</li>
107116
<li>
@@ -116,7 +125,7 @@ <h1><a href="/">Roundup Tracker - Issues</a></h1>
116125
</li>
117126

118127
<li tal:condition="python:request.user.username != 'anonymous'" class="submenu">
119-
<p class="label"><b tal:replace="request/user/username">username</b></p>
128+
<p class="label"><b tal:replace="python:request.user.username.plain(escape=1)">username</b></p>
120129
<ul>
121130
<li>
122131
<a href="#"
@@ -145,7 +154,7 @@ <h1><a href="/">Roundup Tracker - Issues</a></h1>
145154
tal:condition="python:request.user.hasPermission('View', 'query')">
146155
<span i18n:translate=""><b>Your Queries</b> (<a class="nomargin" href="query?@template=edit">edit</a>)</span><br/>
147156
<ul tal:repeat="qs request/user/queries">
148-
<li><a tal:attributes="href string:${qs/klass}?${qs/url}&@dispname=${qs/name}"
157+
<li><a href="#" tal:attributes="href string:${qs/klass}?${qs/url}&@dispname=${qs/name/url_quote}"
149158
tal:content="qs/name">link</a></li>
150159
</ul>
151160
</li>

0 commit comments

Comments
 (0)