Attachment 'patch-prevent-action-overriding-from-POST-requests-but-preserve-parameters-1.8.diff'
Download 1 # HG changeset patch
2 # User Paul Boddie <paul@boddie.org.uk>
3 # Date 1359679127 -3600
4 # Node ID f548add9c9d5a0c445c752c82fb6465c2b442d21
5 # Parent f5c49cf80dad51e0eb3f6e0801f58edd123b5a7d
6 Prevent any request body parameter from overriding the action in the URL.
7 This prevents the OpenID relying party authentication module in Moin (and
8 potentially other relying parties) from confusing Moin as an OpenID server by
9 including an "action" parameter in a POST request to an identity endpoint and
10 causing Moin as an OpenID server to try and handle the request using the named
11 action (typically "login") instead of using the "serveopenid" action.
12
13 diff -r f5c49cf80dad -r f548add9c9d5 MoinMoin/request/__init__.py
14 --- a/MoinMoin/request/__init__.py Sun Oct 09 19:51:05 2011 +0200
15 +++ b/MoinMoin/request/__init__.py Fri Feb 01 01:38:47 2013 +0100
16 @@ -181,12 +181,13 @@
17 self.action = 'xmlrpc'
18 self.rev = None
19 else:
20 + self.action = None
21 try:
22 self.args = self.form = self.setup_args()
23 except UnicodeError:
24 self.makeForbidden(403, "The input you sent could not be understood.")
25 return
26 - self.action = self.form.get('action', ['show'])[0]
27 + self.action = self.action or self.form.get('action', ['show'])[0]
28 try:
29 self.rev = int(self.form['rev'][0])
30 except:
31 @@ -1068,6 +1069,7 @@
32 """
33 args = cgi.parse_qs(self.query_string, keep_blank_values=1)
34 args = self.decodeArgs(args)
35 + self.action = args.get('action', [None])[0]
36 # if we have form data (in a POST), those override the stuff we already have:
37 if self.request_method == 'POST':
38 postargs = self._setup_args_from_cgi_form()
Attached Files
To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.You are not allowed to attach a file to this page.