Mercurial > p > roundup > code
comparison roundup/cgi/form_parser.py @ 4559:86a270b5b993
- Ignore confirm set() fields by themselves in the absence of non-"confirm"
values; otherwise a bare confirm field can be used to change the a
password. Reported by Cam Blackwood.
| author | Richard Jones <richard@mechanicalcat.net> |
|---|---|
| date | Mon, 07 Nov 2011 13:59:43 +1100 |
| parents | 693c75d56ebe |
| children | 9792b18e0b19 |
comparison
equal
deleted
inserted
replaced
| 4557:33a1f03b9de0 | 4559:86a270b5b993 |
|---|---|
| 367 # handle by type now | 367 # handle by type now |
| 368 if isinstance(proptype, hyperdb.Password): | 368 if isinstance(proptype, hyperdb.Password): |
| 369 if not value: | 369 if not value: |
| 370 # ignore empty password values | 370 # ignore empty password values |
| 371 continue | 371 continue |
| 372 if d['confirm']: | |
| 373 # ignore the "confirm" password value by itself | |
| 374 continue | |
| 372 for key, d in matches: | 375 for key, d in matches: |
| 373 if d['confirm'] and d['propname'] == propname: | 376 if d['confirm'] and d['propname'] == propname: |
| 374 confirm = form[key] | 377 confirm = form[key] |
| 375 break | 378 break |
| 376 else: | 379 else: |