Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 5161:12190efa30d4
I realized that the __came_from and __redirect_to url parameters I
added to handle issues with the LoginAction and NewItemAction could
be used for XSS or other purposes.
So I check them using a new clean_url(url) function. This tries to
validate that the url is under the tracker's base url and that the
components of the url are properly url encoded. If it thinks something
is wrong with the url, it will raise a ValueError. I decided to not
attempt to fix the url's if there is an issue, better to bring it to the
tracker admin's attention.
Changed the code paths in NewItemAction and LoginAction that deal with
the form parameters to use the clean_url function on the form input
first.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 23 Jul 2016 14:00:49 -0400 |
| parents | 63294ed25e84 |
| children | e8b3d3a14563 |
comparison
equal
deleted
inserted
replaced
| 5160:f8a32b7331f1 | 5161:12190efa30d4 |
|---|---|
| 128 ------------------------------------------------ | 128 ------------------------------------------------ |
| 129 | 129 |
| 130 The login form has been improved to work with some back end code | 130 The login form has been improved to work with some back end code |
| 131 changes. Now when a user logs in they stay on the same page where they | 131 changes. Now when a user logs in they stay on the same page where they |
| 132 started the login. To make this work, you must change the tal that is | 132 started the login. To make this work, you must change the tal that is |
| 133 used to set the ``__came_from`` form variable. | 133 used to set the ``__came_from`` form variable. Note that the url |
| 134 assigned to __came_from must be url encoded/quoted and be under the | |
| 135 tracker's base url. If the base_url uses http, you can set the url to | |
| 136 https. | |
| 134 | 137 |
| 135 Replace the existing code in the tracker's html/page.html page that | 138 Replace the existing code in the tracker's html/page.html page that |
| 136 looks similar to (look for name="__came_from"):: | 139 looks similar to (look for name="__came_from"):: |
| 137 | 140 |
| 138 <input type="hidden" name="__came_from" tal:attributes="value string:${request/base}${request/env/PATH_INFO}"> | 141 <input type="hidden" name="__came_from" tal:attributes="value string:${request/base}${request/env/PATH_INFO}"> |
| 198 | 201 |
| 199 The key component here is support for the '__redirect_to' query | 202 The key component here is support for the '__redirect_to' query |
| 200 property. It is a url which can be used when creating any new item | 203 property. It is a url which can be used when creating any new item |
| 201 (issue, user, keyword ....). It controls the next page displayed after | 204 (issue, user, keyword ....). It controls the next page displayed after |
| 202 creating the item. If '__redirect_to' is not set, then you end up on | 205 creating the item. If '__redirect_to' is not set, then you end up on |
| 203 the page for the newly created item. | 206 the page for the newly created item. The url value assigned to |
| 207 __redirect_to must be under the tracker's base url and must be properly | |
| 208 url encoded. | |
| 204 | 209 |
| 205 html/_generic.404.html in trackers use page template | 210 html/_generic.404.html in trackers use page template |
| 206 ---------------------------------------------------- | 211 ---------------------------------------------------- |
| 207 | 212 |
| 208 The original generic 404 error pages for many trackers did not use the | 213 The original generic 404 error pages for many trackers did not use the |