Attachment 'patch-prevent-action-overriding-from-POST-requests-1.8.diff'

Download

   1 # HG changeset patch
   2 # User Paul Boddie <paul@boddie.org.uk>
   3 # Date 1359674166 -3600
   4 # Node ID 1f03e30249b8851a8908fd414ab4ca3a31ee7b03
   5 # Parent  f5c49cf80dad51e0eb3f6e0801f58edd123b5a7d
   6 Prevent any request body parameter from overriding the action in the URL.
   7 This prevents the OpenID relying party authentication module in Moin (and
   8 potentially other relying parties) from confusing Moin as an OpenID server by
   9 including an "action" parameter in a POST request to an identity endpoint and
  10 causing Moin as an OpenID server to try and handle the request using the named
  11 action (typically "login") instead of using the "serveopenid" action.
  12 
  13 diff -r f5c49cf80dad -r 1f03e30249b8 MoinMoin/request/__init__.py
  14 --- a/MoinMoin/request/__init__.py	Sun Oct 09 19:51:05 2011 +0200
  15 +++ b/MoinMoin/request/__init__.py	Fri Feb 01 00:16:06 2013 +0100
  16 @@ -1071,6 +1071,8 @@
  17          # if we have form data (in a POST), those override the stuff we already have:
  18          if self.request_method == 'POST':
  19              postargs = self._setup_args_from_cgi_form()
  20 +            if args.has_key("action") and postargs.has_key("action"):
  21 +                del postargs["action"]
  22              args.update(postargs)
  23          return args
  24

Attached Files

To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.
  • [get | view] (2013-01-31 23:32:42, 1.2 KB) [[attachment:patch-prevent-action-overriding-from-POST-requests-1.8.diff]]
  • [get | view] (2013-02-01 00:38:54, 1.8 KB) [[attachment:patch-prevent-action-overriding-from-POST-requests-but-preserve-parameters-1.8.diff]]
 All files | Selected Files: delete move to page copy to page

You are not allowed to attach a file to this page.