Issue 1085481
Created on 2004-12-14 23:47 by pioppo, last changed 2004-12-14 23:47 by pioppo.
|
| msg1775 |
Author: [hidden] (pioppo) |
Date: 2004-12-14 23:47 |
|
Hello.
using roundup 0.7.8 in default install.
The classic template, in page.html has this piece of code:
<p class="classblock">
<span i18n:translate=""
><b>Your Queries</b> (<a
href="query?@template=edit">edit</a>)</span><br>
<tal:block tal:repeat="qs request/user/queries">
<a tal:attributes="href string:${qs/klass}?${qs/url}"
tal:content="qs/name">link</a><br>
</tal:block>
The anonymous user in default install is not allowed to
see items of class query, and not even to edit them.
Should a query be saved in the anonymous user, the
roundup main page would become 403, preventing visitor
to see the but list and even to log in.
At the same time the issue.search.html has this piece
of code:
<tr>
<th i18n:translate="">Query name**:</th>
<td><input name="@queryname"
tal:attributes="value
request/form/@queryname/value | default"></td>
</tr>
that gets showed to anonymous users encouraging them to
save their search queries. Indeed Anonymous is allowed
to save a query, therefore the likeliness to get a 403
accidentally (let alone malicious attackers) is really
high.
A quick fix is to add a tal:condition statement
preventing anonymous to see her saved queries (and
therefore skipping the 403) and also to save them.
|
| msg1776 |
Author: [hidden] (richard) |
Date: 2004-12-15 00:01 |
|
Logged In: YES
user_id=6405
Thanks for the report - I've also added a security assertion in the
actual code that saves queries.
|
|
| Date |
User |
Action |
Args |
| 2004-12-14 23:47:17 | pioppo | create | |
|