Commit a0185283 authored by Arnaud Fontaine's avatar Arnaud Fontaine

Backport: Base_callDialogMethod: Do not redirect when form has a password field.

If it is the case *and* the action script does not redirect, the password will be
in user's browser history.
There can be two different reasons to not redirect:
- not following the API (ie, intentionally not redirecting)
- letting an exception reach ZPublisher
Also, if the non-redirection causes an HTML page to be rendered, resources
loaded by that page will have a referrer containing the password, leaking it
to potentially foreign servers.
parent 173c09c6
...@@ -60,14 +60,12 @@ from Products.ERP5Type.Log import log\n ...@@ -60,14 +60,12 @@ from Products.ERP5Type.Log import log\n
\n \n
# XXX We should not use meta_type properly,\n # XXX We should not use meta_type properly,\n
# XXX We need to discuss this problem.(yusei)\n # XXX We need to discuss this problem.(yusei)\n
def isFieldType(field, type_name):\n
if field.meta_type == \'ProxyField\':\n
field = field.getRecursiveTemplateField()\n
return field.meta_type == type_name\n
def isListBox(field):\n def isListBox(field):\n
if field.meta_type==\'ListBox\':\n return isFieldType(field, \'ListBox\')\n
return True\n
elif field.meta_type==\'ProxyField\':\n
template_field = field.getRecursiveTemplateField()\n
if template_field.meta_type==\'ListBox\':\n
return True\n
return False\n
\n \n
from Products.Formulator.Errors import FormValidationError\n from Products.Formulator.Errors import FormValidationError\n
from ZTUtils import make_query\n from ZTUtils import make_query\n
...@@ -167,7 +165,7 @@ for field in form.get_fields():\n ...@@ -167,7 +165,7 @@ for field in form.get_fields():\n
if v is not MARKER:\n if v is not MARKER:\n
if isListBox(field):\n if isListBox(field):\n
listbox_id_list.append(k)\n listbox_id_list.append(k)\n
elif can_redirect and (v in (None, [], ()) or hasattr(v, \'read\')) : # If we cannot redirect, useless to test it again\n elif can_redirect and (v in (None, [], ()) or hasattr(v, \'read\') or \'password\' in k or isFieldType(field, \'PasswordField\')) : # If we cannot redirect, useless to test it again\n
can_redirect = 0\n can_redirect = 0\n
\n \n
# Cleanup my_ and your_ prefixes\n # Cleanup my_ and your_ prefixes\n
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment