##// END OF EJS Templates
repo-forks: security, fix issue when forging fork_repo_id could allow reading...
marcink -
r2172:f94ee74b default
parent child Browse files
Show More
@@ -63,6 +63,7 b' class AdminReposView(BaseAppView, DataGr'
63 63
64 64 @LoginRequired()
65 65 @NotAnonymous()
66 # perms check inside
66 67 @view_config(
67 68 route_name='repos', request_method='GET',
68 69 renderer='rhodecode:templates/admin/repos/repos.mako')
@@ -212,10 +212,15 b' class RepoForksView(RepoAppView, DataGri'
212 212 _form = RepoForkForm(old_data={'repo_type': self.db_repo.repo_type},
213 213 repo_groups=c.repo_groups_choices,
214 214 landing_revs=c.landing_revs_choices)()
215 post_data = dict(self.request.POST)
216
217 # forbid injecting other repo by forging a request
218 post_data['fork_parent_id'] = self.db_repo.repo_id
219
215 220 form_result = {}
216 221 task_id = None
217 222 try:
218 form_result = _form.to_python(dict(self.request.POST))
223 form_result = _form.to_python(post_data)
219 224 # create fork is done sometimes async on celery, db transaction
220 225 # management is handled there.
221 226 task = RepoModel().create_fork(
General Comments 0
You need to be logged in to leave comments. Login now