Mercurial > p > roundup > code
changeset 5207:4a157824f933
changes to try to deploy anti-csrf defense to other templates.
line wrap: on
line diff
--- a/share/roundup/templates/devel/html/_generic.index.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/devel/html/_generic.index.html Sat Mar 18 23:36:02 2017 -0400 @@ -44,6 +44,8 @@ tal:attributes="action context/designator"> <textarea rows="15" style="width:90%" name="rows" tal:content="context/csv"></textarea> <br> +<input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="editCSV"> <input type="submit" value="Edit Items" i18n:attributes="value"> </form>
--- a/share/roundup/templates/devel/html/file.item.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/devel/html/file.item.html Sat Mar 18 23:36:02 2017 -0400 @@ -65,7 +65,8 @@ enctype="multipart/form-data" tal:attributes="action context/designator" tal:condition="python:request.user.hasPermission('SB: May Classify')"> - + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="spambayes_classify"> <input type="submit" name="trainspam" value="Mark as SPAM" i18n:attributes="value"> <input type="submit" name="trainham" value="Mark as HAM (not SPAM)" i18n:attributes="value">
--- a/share/roundup/templates/devel/html/msg.item.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/devel/html/msg.item.html Sat Mar 18 23:36:02 2017 -0400 @@ -73,6 +73,8 @@ enctype="multipart/form-data" tal:attributes="action context/designator"> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="spambayes_classify"> <input type="submit" name="trainspam" value="Mark as SPAM" i18n:attributes="value"> <input type="submit" name="trainham" value="Mark as HAM (not SPAM)" i18n:attributes="value">
--- a/share/roundup/templates/devel/html/page.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/devel/html/page.html Sat Mar 18 23:36:02 2017 -0400 @@ -83,6 +83,8 @@ <input type="submit" class="form-small" value="Show bug:" i18n:attributes="value"/> <input class="form-small" size="4" type="text" name="@number"/> <input type="hidden" name="@type" value="bug"/> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="show"/> </form> </li> @@ -128,6 +130,8 @@ <input type="submit" class="form-small" value="Show task:" i18n:attributes="value"/> <input class="form-small" size="4" type="text" name="@number"/> <input type="hidden" name="@type" value="task"/> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="show"/> </form> </li> @@ -160,6 +164,8 @@ <tal:span i18n:translate="">Login</tal:span><br/> <input size="10" name="__login_name"/><br/> <input size="10" type="password" name="__login_password"/><br/> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="Login"/> <input type="checkbox" name="remember" id="remember"/> <label for="remember" i18n:translate="">Remember me?</label><br/>
--- a/share/roundup/templates/devel/html/patch.item.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/devel/html/patch.item.html Sat Mar 18 23:36:02 2017 -0400 @@ -74,6 +74,8 @@ tal:attributes="action context/designator" tal:condition="python:request.user.hasPermission('SB: May Classify')"> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="spambayes_classify"> <input type="submit" name="trainspam" value="Mark as SPAM" i18n:attributes="value"> <input type="submit" name="trainham" value="Mark as HAM (not SPAM)" i18n:attributes="value"> @@ -160,6 +162,8 @@ tal:attributes="action context/designator" tal:condition="python:request.user.hasPermission('SB: May Classify')"> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="spambayes_classify"> <input type="submit" name="trainspam" value="Mark as SPAM" i18n:attributes="value"> <input type="submit" name="trainham" value="Mark as HAM (not SPAM)" i18n:attributes="value">
--- a/share/roundup/templates/devel/html/query.edit.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/devel/html/query.edit.html Sat Mar 18 23:36:02 2017 -0400 @@ -96,6 +96,8 @@ </tr> <tr><td colspan="5"> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="edit"> <input type="hidden" name="@template" value="edit"> <input type="submit" value="Save Selection" i18n:attributes="value">
--- a/share/roundup/templates/devel/html/task.item.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/devel/html/task.item.html Sat Mar 18 23:36:02 2017 -0400 @@ -190,6 +190,8 @@ <td> <form style="padding:0" tal:condition="file/is_edit_ok" tal:attributes="action string:task${context/id}"> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@remove@files" tal:attributes="value file/id"> <input type="hidden" name="@action" value="edit"> <input type="submit" value="remove" i18n:attributes="value"> @@ -211,7 +213,10 @@ <th> <form style="padding:0" tal:condition="msg/is_edit_ok" tal:attributes="action string:task${context/id}"> - <input type="hidden" name="@remove@messages" tal:attributes="value msg/id"> + <input type="hidden" name="@remove@messages" + tal:attributes="value msg/id"> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="edit"> <input type="submit" value="remove" i18n:attributes="value"> </form>
--- a/share/roundup/templates/devel/html/user.forgotten.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/devel/html/user.forgotten.html Sat Mar 18 23:36:02 2017 -0400 @@ -25,6 +25,8 @@ <tr> <td> </td> <td> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="passrst"> <input type="hidden" name="@template" value="forgotten"> <input type="submit" value="Request password reset"
--- a/share/roundup/templates/devel/html/user.register.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/devel/html/user.register.html Sat Mar 18 23:36:02 2017 -0400 @@ -65,7 +65,10 @@ <td> </td> <td> <input type="hidden" name="@template" value="register"> - <input type="hidden" name="@required" value="username,password,address"> + <input type="hidden" name="@required" + value="username,password,address"> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="register"> <input type="submit" name="submit" value="Register" i18n:attributes="value"> </td>
--- a/share/roundup/templates/jinja2/html/_generic.index.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/jinja2/html/_generic.index.html Sat Mar 18 23:36:02 2017 -0400 @@ -34,6 +34,7 @@ <form method="POST" action='{{ context.designator() }}'> <textarea rows="15" style="width:90%" name="rows">{{ context.csv }}</textarea> <br> + <input name="@csrf" type="hidden" value="{{ utils.anti_csrf_nonce() }}"> <input type="hidden" name="@action" value="{{ i18n.gettext('editCSV') }}"> <input type="submit" value="{{ i18n.gettext('Edit Items') }}"> </form>
--- a/share/roundup/templates/jinja2/html/file.index.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/jinja2/html/file.index.html Sat Mar 18 23:36:02 2017 -0400 @@ -23,6 +23,7 @@ <td> <form method="POST" action='issue{{ context.id }}'> <input type="hidden" name="@remove@files" value='{{ file.id }}'> + <input name="@csrf" type="hidden" value="{{ utils.anti_csrf_nonce() }}"> <input type="hidden" name="@action" value="{{ i18n.gettext('edit') }}"> <input type="submit" value="{{ i18n.gettext('remove') }}"> </form>
--- a/share/roundup/templates/jinja2/html/issue.item.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/jinja2/html/issue.item.html Sat Mar 18 23:36:02 2017 -0400 @@ -57,6 +57,8 @@ {% if context.is_edit_ok %} <form method="POST" action='issue{{ context.id }}' class='form-inline'> <input type="hidden" name="@remove@messages" value='{{ msg.id }}'> + <input name="@csrf" type="hidden" + value="{{ utils.anti_csrf_nonce() }}"> <input type="hidden" name="@action" value="edit"> <input type="submit" value="remove"> </form>
--- a/share/roundup/templates/jinja2/html/keyword.item.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/jinja2/html/keyword.item.html Sat Mar 18 23:36:02 2017 -0400 @@ -30,6 +30,8 @@ <input type='text' class='input-xlarge' name='name'> <input type="hidden" name="@required" value="name"> <input type="hidden" name="@template" value="item"> + <input name="@csrf" type="hidden" + value="{{ utils.anti_csrf_nonce() }}"> <input type="hidden" name="@action" value="new"> <input type='submit' class='btn btn-primary' value="{{ i18n.gettext('Create keyword') }}"> </form>
--- a/share/roundup/templates/jinja2/html/user.forgotten.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/jinja2/html/user.forgotten.html Sat Mar 18 23:36:02 2017 -0400 @@ -18,6 +18,10 @@ <div class='row-fluid'> <label>{{ i18n.gettext('Email Address') }}:</label> <input type='text' name="address"> + <input name="@csrf" type="hidden" + value="{{ utils.anti_csrf_nonce() }}"> + <input name="@csrf" type="hidden" + value="{{ utils.anti_csrf_nonce() }}"> <input type="hidden" name="@action" value="passrst"> <input type="hidden" name="@template" value="forgotten"> <input type="submit" value="{{ i18n.gettext('Password reset') }}" class='btn btn-primary'>
--- a/share/roundup/templates/jinja2/html/user.index.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/jinja2/html/user.index.html Sat Mar 18 23:36:02 2017 -0400 @@ -37,6 +37,8 @@ <td> <form method="POST" action='user{{ user.id }}' class='form-inline'> <input type="hidden" name="@template" value="index"> + <input name="@csrf" type="hidden" + value="{{ utils.anti_csrf_nonce() }}"> <input type="hidden" name="@action" value="retire"> <input type="submit" value="{{ i18n.gettext('retire') }}" class='btn btn-small'> </form>
--- a/share/roundup/templates/jinja2/html/user.register.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/jinja2/html/user.register.html Sat Mar 18 23:36:02 2017 -0400 @@ -80,6 +80,8 @@ <tr class='form-actions'> <td> <input type="hidden" name="@template" value="register"> + <input name="@csrf" type="hidden" + value="{{ utils.anti_csrf_nonce() }}"> <input type="hidden" name="@action" value="register"> <input type="submit" name="submit" value="{{ i18n.gettext('Register') }}"> </td>
--- a/share/roundup/templates/responsive/html/_generic.index.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/responsive/html/_generic.index.html Sat Mar 18 23:36:02 2017 -0400 @@ -44,6 +44,8 @@ tal:attributes="action context/designator"> <textarea rows="15" style="width:90%" name="rows" tal:content="context/csv"></textarea> <br> +<input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="editCSV"> <input type="submit" value="Edit Items" i18n:attributes="value"> </form>
--- a/share/roundup/templates/responsive/html/file.item.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/responsive/html/file.item.html Sat Mar 18 23:36:02 2017 -0400 @@ -66,6 +66,8 @@ tal:attributes="action context/designator" tal:condition="python:request.user.hasPermission('SB: May Classify')"> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="spambayes_classify"> <input type="submit" name="trainspam" value="Mark as SPAM" i18n:attributes="value"> <input type="submit" name="trainham" value="Mark as HAM (not SPAM)" i18n:attributes="value">
--- a/share/roundup/templates/responsive/html/page.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/responsive/html/page.html Sat Mar 18 23:36:02 2017 -0400 @@ -99,6 +99,8 @@ <input class="input-small" type="text" name="@number"/> <input type="submit" class="btn" value="Show bug" i18n:attributes="value"/> <input type="hidden" name="@type" value="bug"/> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="show"/> </form> </li> @@ -145,6 +147,8 @@ <input class="input-small" type="text" name="@number"/> <input type="submit" class="btn" value="Show task" i18n:attributes="value"/> <input type="hidden" name="@type" value="task"/> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="show"/> </form> </li> @@ -175,6 +179,8 @@ <legend><i class='icon-user'></i>Login form</legend> <input name="__login_name" type='text' placeholder='Username' i18n:attributes="placeholder"> <input type="password" name="__login_password" placeholder='Password' i18n:attributes="placeholder"> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="Login"/> <label class='checkbox'> <input type="checkbox" name="remember" id="remember">Remember me?
--- a/share/roundup/templates/responsive/html/query.edit.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/responsive/html/query.edit.html Sat Mar 18 23:36:02 2017 -0400 @@ -96,6 +96,8 @@ </tr> <tr><td colspan="5"> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="edit"> <input type="hidden" name="@template" value="edit"> <input type="submit" value="Save Selection" i18n:attributes="value">
--- a/share/roundup/templates/responsive/html/task.item.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/responsive/html/task.item.html Sat Mar 18 23:36:02 2017 -0400 @@ -304,6 +304,8 @@ <form style="padding:0" tal:condition="file/is_edit_ok" tal:attributes="action string:bug${context/id}"> <input type="hidden" name="@remove@files" tal:attributes="value file/id"> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="edit"> <input type="submit" value="remove" i18n:attributes="value"> </form>
--- a/share/roundup/templates/responsive/html/user.forgotten.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/responsive/html/user.forgotten.html Sat Mar 18 23:36:02 2017 -0400 @@ -25,6 +25,8 @@ <tr> <td> </td> <td> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="passrst"> <input type="hidden" name="@template" value="forgotten"> <input type="submit" value="Request password reset"
--- a/share/roundup/templates/responsive/html/user.register.html Sat Mar 18 23:34:41 2017 -0400 +++ b/share/roundup/templates/responsive/html/user.register.html Sat Mar 18 23:36:02 2017 -0400 @@ -65,7 +65,10 @@ <td> </td> <td> <input type="hidden" name="@template" value="register"> - <input type="hidden" name="@required" value="username,password,address"> + <input type="hidden" name="@required" + value="username,password,address"> + <input name="@csrf" type="hidden" + tal:attributes="value python:utils.anti_csrf_nonce()"> <input type="hidden" name="@action" value="register"> <input type="submit" name="submit" value="Register" i18n:attributes="value"> </td>