u/ewong/rhodecode-enterprise-ce-fork Commit - r2088:4558ec55

helpers: make sure request parameter is not rendered inside secure form.

marcink -

r2088:4558ec55 default

parent child

rhodecode/lib/helpers.py

0 +4 -2

                  return wh_form(url, method=method, **attrs)
-             def secure_form(url, method="POST", multipart=False, **attrs):
+             def secure_form(form_url, method="POST", multipart=False, **attrs):
                  """Start a form tag that points the action to an url. This
                  form tag will also include the hidden field containing
                  the auth token.
                  """
                  from webhelpers.pylonslib.secure_form import insecure_form
-                 form = insecure_form(url, method, multipart, **attrs)
                  session = None
                  # TODO(marcink): after pyramid migration require request variable ALWAYS
                  if 'request' in attrs:
                      session = attrs['request'].session
+                     del attrs['request']
+                 form = insecure_form(form_url, method, multipart, **attrs)
                  token = literal(
                      '<input type="hidden" id="{}" name="{}" value="{}">'.format(
                      csrf_token_key, csrf_token_key, get_csrf_token(session)))

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages