-
-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Branch: refs/heads/master Date: 2016-09-07T17:29:37+02:00 Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org> Commit: plone/plone.app.users@38284c2 Don't show unescaped user id in user-information form. This applies PloneHotfix20160830. Files changed: A plone/app/users/tests/test_user_data_panel.py M CHANGES.rst M plone/app/users/browser/userdatapanel.py Repository: plone.app.users Branch: refs/heads/master Date: 2016-09-07T17:48:58+02:00 Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org> Commit: plone/plone.app.users@46c34bc Give 404 when user-information form is called with not existing userid. Files changed: M CHANGES.rst M plone/app/users/browser/userdatapanel.py M plone/app/users/tests/test_user_data_panel.py Repository: plone.app.users Branch: refs/heads/master Date: 2016-09-12T19:07:50+02:00 Author: Jens W. Klein (jensens) <jk@kleinundpartner.at> Commit: plone/plone.app.users@9e20918 Merge pull request #60 from plone/apply-hotfix-20160830-master Apply hotfix 20160830 master Files changed: A plone/app/users/tests/test_user_data_panel.py M CHANGES.rst M plone/app/users/browser/userdatapanel.py
- Loading branch information
Showing
1 changed file
with
248 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,88 +1,286 @@ | ||
| Repository: plone.tiles | ||
| Repository: plone.app.users | ||
|
|
||
|
|
||
| Branch: refs/heads/master | ||
| Date: 2016-09-12T10:37:57+03:00 | ||
| Author: Asko Soukka (datakurre) <asko.soukka@iki.fi> | ||
| Commit: https://github.com/plone/plone.tiles/commit/66e65618d4ffd5758317c90761fba98b5d4e0987 | ||
| Date: 2016-09-07T17:29:37+02:00 | ||
| Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org> | ||
| Commit: https://github.com/plone/plone.app.users/commit/38284c22eb13a7416efa14eabe8aa0fe7ce84d43 | ||
|
|
||
| Preparing release 1.7.1 | ||
| Don't show unescaped user id in user-information form. | ||
|
|
||
| This applies PloneHotfix20160830. | ||
|
|
||
| Files changed: | ||
| A plone/app/users/tests/test_user_data_panel.py | ||
| M CHANGES.rst | ||
| M setup.py | ||
| M plone/app/users/browser/userdatapanel.py | ||
|
|
||
| diff --git a/CHANGES.rst b/CHANGES.rst | ||
| index 8e429cf..bcce100 100644 | ||
| index a793b31..045c6fd 100644 | ||
| --- a/CHANGES.rst | ||
| +++ b/CHANGES.rst | ||
| @@ -1,7 +1,7 @@ | ||
| Changelog | ||
| ========= | ||
| @@ -14,7 +14,8 @@ New features: | ||
|
|
||
| Bug fixes: | ||
|
|
||
| -1.7.1 (unreleased) | ||
| +1.7.1 (2016-09-12) | ||
| ------------------ | ||
| -- *add item here* | ||
| +- Don't show unescaped user id in user-information form. | ||
| + This applies PloneHotfix20160830. [maurits] | ||
|
|
||
| - Fix issue where collective.cover was broken, because internal changes in | ||
| diff --git a/setup.py b/setup.py | ||
| index 5eef97f..a1382c5 100644 | ||
| --- a/setup.py | ||
| +++ b/setup.py | ||
| @@ -5,7 +5,7 @@ | ||
| import os | ||
|
|
||
| 2.3.7 (2016-08-18) | ||
| diff --git a/plone/app/users/browser/userdatapanel.py b/plone/app/users/browser/userdatapanel.py | ||
| index debc12d..f28a809 100644 | ||
| --- a/plone/app/users/browser/userdatapanel.py | ||
| +++ b/plone/app/users/browser/userdatapanel.py | ||
| @@ -15,6 +15,9 @@ | ||
| from ..schema import IUserDataSchema | ||
| from .schemaeditor import getFromBaseSchema | ||
|
|
||
| -version = '1.7.1.dev0' | ||
| +version = '1.7.1' | ||
| +import cgi | ||
| + | ||
| + | ||
|
|
||
| setup( | ||
| name='plone.tiles', | ||
| class UserDataPanelAdapter(AccountPanelSchemaAdapter): | ||
| """One does not simply set portrait, email might be used to login with. | ||
| @@ -72,7 +75,7 @@ def description(self): | ||
| return _( | ||
| u'description_personal_information_form_otheruser', | ||
| default='Change personal information for $name', | ||
| - mapping={'name': userid} | ||
| + mapping={'name': cgi.escape(userid)} | ||
| ) | ||
| else: | ||
| # editing my own profile | ||
| diff --git a/plone/app/users/tests/test_user_data_panel.py b/plone/app/users/tests/test_user_data_panel.py | ||
| new file mode 100644 | ||
| index 0000000..7cbc9ba | ||
| --- /dev/null | ||
| +++ b/plone/app/users/tests/test_user_data_panel.py | ||
| @@ -0,0 +1,30 @@ | ||
| +from plone.app.users.browser.userdatapanel import UserDataPanel | ||
| +from plone.app.users.testing import PLONE_APP_USERS_FUNCTIONAL_TESTING | ||
| +from zope.i18n import translate | ||
| + | ||
| +import unittest | ||
| + | ||
| + | ||
| +class TestUserDataPanel(unittest.TestCase): | ||
| + | ||
| + layer = PLONE_APP_USERS_FUNCTIONAL_TESTING | ||
| + | ||
| + def test_regression(self): | ||
| + portal = self.layer['portal'] | ||
| + request = self.layer['request'] | ||
| + request.form.update({ | ||
| + 'userid': 'admin' | ||
| + }) | ||
| + form = UserDataPanel(portal, request) | ||
| + description = translate(form.description, context=request) | ||
| + self.assertTrue('admin' in description) | ||
| + | ||
| + def test_escape_html(self): | ||
| + portal = self.layer['portal'] | ||
| + request = self.layer['request'] | ||
| + request.form.update({ | ||
| + 'userid': 'admin<script>alert("userid")</script>' | ||
| + }) | ||
| + form = UserDataPanel(portal, request) | ||
| + description = translate(form.description, context=request) | ||
| + self.assertTrue('<script>' not in description) | ||
|
|
||
|
|
||
| Repository: plone.tiles | ||
| Repository: plone.app.users | ||
|
|
||
|
|
||
| Branch: refs/heads/master | ||
| Date: 2016-09-12T10:39:48+03:00 | ||
| Author: Asko Soukka (datakurre) <asko.soukka@iki.fi> | ||
| Commit: https://github.com/plone/plone.tiles/commit/ef0d3f05560464cec98e32a22f57be86dcfb856d | ||
| Date: 2016-09-07T17:48:58+02:00 | ||
| Author: Maurits van Rees (mauritsvanrees) <maurits@vanrees.org> | ||
| Commit: https://github.com/plone/plone.app.users/commit/46c34bc8612c0558fc055385bd3d246d0b0a2b9e | ||
|
|
||
| Back to development: 1.7.2 | ||
| Give 404 when user-information form is called with not existing userid. | ||
|
|
||
| Files changed: | ||
| M CHANGES.rst | ||
| M setup.py | ||
| M plone/app/users/browser/userdatapanel.py | ||
| M plone/app/users/tests/test_user_data_panel.py | ||
|
|
||
| diff --git a/CHANGES.rst b/CHANGES.rst | ||
| index bcce100..d131718 100644 | ||
| index 045c6fd..069c410 100644 | ||
| --- a/CHANGES.rst | ||
| +++ b/CHANGES.rst | ||
| @@ -1,6 +1,12 @@ | ||
| Changelog | ||
| ========= | ||
| @@ -14,6 +14,9 @@ New features: | ||
|
|
||
| +1.7.2 (unreleased) | ||
| +------------------ | ||
| + | ||
| +- Nothing changed yet. | ||
| Bug fixes: | ||
| +- Give a 404 when the user-information form is called with a not | ||
| + existing userid. [maurits] | ||
| + | ||
| - Don't show unescaped user id in user-information form. | ||
| This applies PloneHotfix20160830. [maurits] | ||
|
|
||
| diff --git a/plone/app/users/browser/userdatapanel.py b/plone/app/users/browser/userdatapanel.py | ||
| index f28a809..2b6f827 100644 | ||
| --- a/plone/app/users/browser/userdatapanel.py | ||
| +++ b/plone/app/users/browser/userdatapanel.py | ||
| @@ -11,6 +11,7 @@ | ||
| from plone.app.users.browser.account import AccountPanelForm | ||
| from plone.app.users.browser.account import AccountPanelSchemaAdapter | ||
| from plone.registry.interfaces import IRegistry | ||
| +from zExceptions import NotFound | ||
|
|
||
| from ..schema import IUserDataSchema | ||
| from .schemaeditor import getFromBaseSchema | ||
| @@ -85,6 +86,11 @@ def description(self): | ||
| ) | ||
|
|
||
| def __call__(self): | ||
| + userid = self.request.form.get('userid') | ||
| + if userid: | ||
| + mt = getToolByName(self.context, 'portal_membership') | ||
| + if mt.getMemberById(userid) is None: | ||
| + raise NotFound('User does not exist.') | ||
| self.request.set('disable_border', 1) | ||
| return super(UserDataPanel, self).__call__() | ||
|
|
||
| diff --git a/plone/app/users/tests/test_user_data_panel.py b/plone/app/users/tests/test_user_data_panel.py | ||
| index 7cbc9ba..a9aa7e0 100644 | ||
| --- a/plone/app/users/tests/test_user_data_panel.py | ||
| +++ b/plone/app/users/tests/test_user_data_panel.py | ||
| @@ -1,3 +1,4 @@ | ||
| +from zExceptions import NotFound | ||
| from plone.app.users.browser.userdatapanel import UserDataPanel | ||
| from plone.app.users.testing import PLONE_APP_USERS_FUNCTIONAL_TESTING | ||
| from zope.i18n import translate | ||
| @@ -18,6 +19,8 @@ def test_regression(self): | ||
| form = UserDataPanel(portal, request) | ||
| description = translate(form.description, context=request) | ||
| self.assertTrue('admin' in description) | ||
| + # form can be called without raising exception. | ||
| + self.assertTrue(form()) | ||
|
|
||
| def test_escape_html(self): | ||
| portal = self.layer['portal'] | ||
| @@ -28,3 +31,4 @@ def test_escape_html(self): | ||
| form = UserDataPanel(portal, request) | ||
| description = translate(form.description, context=request) | ||
| self.assertTrue('<script>' not in description) | ||
| + self.assertRaises(NotFound, form) | ||
|
|
||
|
|
||
| Repository: plone.app.users | ||
|
|
||
|
|
||
| Branch: refs/heads/master | ||
| Date: 2016-09-12T19:07:50+02:00 | ||
| Author: Jens W. Klein (jensens) <jk@kleinundpartner.at> | ||
| Commit: https://github.com/plone/plone.app.users/commit/9e20918433ba8ce1eb65ac33141cbaf56c460b24 | ||
|
|
||
| Merge pull request #60 from plone/apply-hotfix-20160830-master | ||
|
|
||
| Apply hotfix 20160830 master | ||
|
|
||
| Files changed: | ||
| A plone/app/users/tests/test_user_data_panel.py | ||
| M CHANGES.rst | ||
| M plone/app/users/browser/userdatapanel.py | ||
|
|
||
| diff --git a/CHANGES.rst b/CHANGES.rst | ||
| index a793b31..069c410 100644 | ||
| --- a/CHANGES.rst | ||
| +++ b/CHANGES.rst | ||
| @@ -14,7 +14,11 @@ New features: | ||
|
|
||
| Bug fixes: | ||
|
|
||
| -- *add item here* | ||
| +- Give a 404 when the user-information form is called with a not | ||
| + existing userid. [maurits] | ||
| + | ||
| 1.7.1 (2016-09-12) | ||
| ------------------ | ||
| +- Don't show unescaped user id in user-information form. | ||
| + This applies PloneHotfix20160830. [maurits] | ||
|
|
||
| diff --git a/setup.py b/setup.py | ||
| index a1382c5..9cb036b 100644 | ||
| --- a/setup.py | ||
| +++ b/setup.py | ||
| @@ -5,7 +5,7 @@ | ||
| import os | ||
|
|
||
| 2.3.7 (2016-08-18) | ||
| diff --git a/plone/app/users/browser/userdatapanel.py b/plone/app/users/browser/userdatapanel.py | ||
| index debc12d..2b6f827 100644 | ||
| --- a/plone/app/users/browser/userdatapanel.py | ||
| +++ b/plone/app/users/browser/userdatapanel.py | ||
| @@ -11,10 +11,14 @@ | ||
| from plone.app.users.browser.account import AccountPanelForm | ||
| from plone.app.users.browser.account import AccountPanelSchemaAdapter | ||
| from plone.registry.interfaces import IRegistry | ||
| +from zExceptions import NotFound | ||
|
|
||
| -version = '1.7.1' | ||
| +version = '1.7.2.dev0' | ||
| from ..schema import IUserDataSchema | ||
| from .schemaeditor import getFromBaseSchema | ||
|
|
||
| setup( | ||
| name='plone.tiles', | ||
| +import cgi | ||
| + | ||
| + | ||
|
|
||
| class UserDataPanelAdapter(AccountPanelSchemaAdapter): | ||
| """One does not simply set portrait, email might be used to login with. | ||
| @@ -72,7 +76,7 @@ def description(self): | ||
| return _( | ||
| u'description_personal_information_form_otheruser', | ||
| default='Change personal information for $name', | ||
| - mapping={'name': userid} | ||
| + mapping={'name': cgi.escape(userid)} | ||
| ) | ||
| else: | ||
| # editing my own profile | ||
| @@ -82,6 +86,11 @@ def description(self): | ||
| ) | ||
|
|
||
| def __call__(self): | ||
| + userid = self.request.form.get('userid') | ||
| + if userid: | ||
| + mt = getToolByName(self.context, 'portal_membership') | ||
| + if mt.getMemberById(userid) is None: | ||
| + raise NotFound('User does not exist.') | ||
| self.request.set('disable_border', 1) | ||
| return super(UserDataPanel, self).__call__() | ||
|
|
||
| diff --git a/plone/app/users/tests/test_user_data_panel.py b/plone/app/users/tests/test_user_data_panel.py | ||
| new file mode 100644 | ||
| index 0000000..a9aa7e0 | ||
| --- /dev/null | ||
| +++ b/plone/app/users/tests/test_user_data_panel.py | ||
| @@ -0,0 +1,34 @@ | ||
| +from zExceptions import NotFound | ||
| +from plone.app.users.browser.userdatapanel import UserDataPanel | ||
| +from plone.app.users.testing import PLONE_APP_USERS_FUNCTIONAL_TESTING | ||
| +from zope.i18n import translate | ||
| + | ||
| +import unittest | ||
| + | ||
| + | ||
| +class TestUserDataPanel(unittest.TestCase): | ||
| + | ||
| + layer = PLONE_APP_USERS_FUNCTIONAL_TESTING | ||
| + | ||
| + def test_regression(self): | ||
| + portal = self.layer['portal'] | ||
| + request = self.layer['request'] | ||
| + request.form.update({ | ||
| + 'userid': 'admin' | ||
| + }) | ||
| + form = UserDataPanel(portal, request) | ||
| + description = translate(form.description, context=request) | ||
| + self.assertTrue('admin' in description) | ||
| + # form can be called without raising exception. | ||
| + self.assertTrue(form()) | ||
| + | ||
| + def test_escape_html(self): | ||
| + portal = self.layer['portal'] | ||
| + request = self.layer['request'] | ||
| + request.form.update({ | ||
| + 'userid': 'admin<script>alert("userid")</script>' | ||
| + }) | ||
| + form = UserDataPanel(portal, request) | ||
| + description = translate(form.description, context=request) | ||
| + self.assertTrue('<script>' not in description) | ||
| + self.assertRaises(NotFound, form) | ||
|
|
||
|
|