Mercurial > p > roundup > code

diff roundup/cgi/form_parser.py @ 4559:86a270b5b993

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
- Ignore confirm set() fields by themselves in the absence of non-"confirm" values; otherwise a bare confirm field can be used to change the a password. Reported by Cam Blackwood.
author Richard Jones <richard@mechanicalcat.net>
date Mon, 07 Nov 2011 13:59:43 +1100
parents 693c75d56ebe
children 9792b18e0b19
line wrap: on
line diff
--- a/roundup/cgi/form_parser.py	Mon Oct 31 17:48:11 2011 -0400
+++ b/roundup/cgi/form_parser.py	Mon Nov 07 13:59:43 2011 +1100
@@ -369,6 +369,9 @@
                 if not value:
                     # ignore empty password values
                     continue
+                if d['confirm']:
+                    # ignore the "confirm" password value by itself
+                    continue
                 for key, d in matches:
                     if d['confirm'] and d['propname'] == propname:
                         confirm = form[key]
Roundup Issue Tracker: http://roundup-tracker.org/