Mercurial > p > roundup > code

changeset 5204:c8bf4e9912ed

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
convert classic template for csrf defense
author John Rouillard <rouilj@ieee.org>
date Sat, 18 Mar 2017 22:55:50 -0400
parents 9f490cc0effe
children 9cd95b1ead8e
files share/roundup/templates/classic/html/_generic.index.html share/roundup/templates/classic/html/issue.item.html share/roundup/templates/classic/html/page.html share/roundup/templates/classic/html/query.edit.html share/roundup/templates/classic/html/user.forgotten.html share/roundup/templates/classic/html/user.index.html share/roundup/templates/classic/html/user.register.html
diffstat 7 files changed, 20 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/share/roundup/templates/classic/html/_generic.index.html	Sat Mar 18 22:19:51 2017 -0400
+++ b/share/roundup/templates/classic/html/_generic.index.html	Sat Mar 18 22:55:50 2017 -0400
@@ -47,6 +47,8 @@
       tal:attributes="action context/designator">
 <textarea rows="15" style="width:90%" name="rows" tal:content="context/csv"></textarea>
 <br>
+<input name="@csrf" type="hidden"
+       tal:attributes="value python:utils.anti_csrf_nonce()">
 <input type="hidden" name="@action" value="editCSV">
 <input type="submit" value="Edit Items" i18n:attributes="value">
 </form>
--- a/share/roundup/templates/classic/html/issue.item.html	Sat Mar 18 22:19:51 2017 -0400
+++ b/share/roundup/templates/classic/html/issue.item.html	Sat Mar 18 22:55:50 2017 -0400
@@ -154,6 +154,8 @@
    <form style="padding:0" method="POST" tal:condition="context/is_edit_ok"
          tal:attributes="action string:issue${context/id}">
     <input type="hidden" name="@remove@files" tal:attributes="value file/id">
+    <input name="@csrf" type="hidden"
+	   tal:attributes="value python:utils.anti_csrf_nonce()">
     <input type="hidden" name="@action" value="edit">
     <input type="submit" value="remove" i18n:attributes="value">
    </form>
@@ -175,6 +177,8 @@
     <form style="padding:0" method="POST" tal:condition="context/is_edit_ok"
           tal:attributes="action string:issue${context/id}">
      <input type="hidden" name="@remove@messages" tal:attributes="value msg/id">
+     <input name="@csrf" type="hidden"
+	    tal:attributes="value python:utils.anti_csrf_nonce()">
      <input type="hidden" name="@action" value="edit">
      <input type="submit" value="remove" i18n:attributes="value">
     </form>
--- a/share/roundup/templates/classic/html/page.html	Sat Mar 18 22:19:51 2017 -0400
+++ b/share/roundup/templates/classic/html/page.html	Sat Mar 18 22:55:50 2017 -0400
@@ -94,6 +94,8 @@
      i18n:attributes="value"><input class="form-small" size="4"
      type="text" name="@number">
     <input type="hidden" name="@type" value="issue">
+    <input name="@csrf" type="hidden"
+	   tal:attributes="value python:utils.anti_csrf_nonce()">
     <input type="hidden" name="@action" value="show">
    </p>
   </form>
@@ -132,6 +134,8 @@
     <input type="hidden" name="@action" value="Login">
     <input type="checkbox" name="remember" id="remember">
     <label for="remember" i18n:translate="">Remember me?</label><br>
+    <input name="@csrf" type="hidden"
+	   tal:attributes="value python:utils.anti_csrf_nonce()">
     <input type="submit" value="Login" i18n:attributes="value"><br>
     <input type="hidden" name="__came_from"
 	   tal:condition="exists:request/env/QUERY_STRING"
--- a/share/roundup/templates/classic/html/query.edit.html	Sat Mar 18 22:19:51 2017 -0400
+++ b/share/roundup/templates/classic/html/query.edit.html	Sat Mar 18 22:55:50 2017 -0400
@@ -157,6 +157,8 @@
 </tr>
 </tal:block>
 <tr><td colspan="5">
+    <input name="@csrf" type="hidden"
+	   tal:attributes="value python:utils.anti_csrf_nonce()">
    <input type="hidden" name="@action" value="edit">
    <input type="hidden" name="@template" value="edit">
    <input type="submit" value="Save Selection" i18n:attributes="value">
--- a/share/roundup/templates/classic/html/user.forgotten.html	Sat Mar 18 22:19:51 2017 -0400
+++ b/share/roundup/templates/classic/html/user.forgotten.html	Sat Mar 18 22:55:50 2017 -0400
@@ -19,6 +19,8 @@
       <tr>
         <td>&nbsp;</td>
         <td>
+	  <input name="@csrf" type="hidden"
+		 tal:attributes="value python:utils.anti_csrf_nonce()">
           <input type="hidden" name="@action" value="passrst">
           <input type="hidden" name="@template" value="forgotten">
           <input type="submit" value="Request password reset"
--- a/share/roundup/templates/classic/html/user.index.html	Sat Mar 18 22:19:51 2017 -0400
+++ b/share/roundup/templates/classic/html/user.index.html	Sat Mar 18 22:55:50 2017 -0400
@@ -37,6 +37,8 @@
     <form style="padding:0" method="POST"
           tal:attributes="action string:user${user/id}">
      <input type="hidden" name="@template" value="index">
+     <input name="@csrf" type="hidden"
+	    tal:attributes="value python:utils.anti_csrf_nonce()">
      <input type="hidden" name="@action" value="retire">
      <input type="submit" value="retire" i18n:attributes="value">
     </form>
--- a/share/roundup/templates/classic/html/user.register.html	Sat Mar 18 22:19:51 2017 -0400
+++ b/share/roundup/templates/classic/html/user.register.html	Sat Mar 18 22:55:50 2017 -0400
@@ -58,7 +58,10 @@
   <td>&nbsp;</td>
   <td>
    <input type="hidden" name="@template" value="register">
-   <input type="hidden" name="@required" value="username,password,address">
+   <input type="hidden" name="@required"
+	  value="username,password,address">
+   <input name="@csrf" type="hidden"
+	  tal:attributes="value python:utils.anti_csrf_nonce()">
    <input type="hidden" name="@action" value="register">
    <input type="submit" name="submit" value="Register" i18n:attributes="value">
   </td>
Roundup Issue Tracker: http://roundup-tracker.org/