Merge pull request #60 from plone/apply-hotfix-20160830-master

Apply hotfix 20160830 master
plone · Sep 12, 2016 · 9e20918 · 9e20918
2 parents 44428b2 + 46c34bc
commit 9e20918
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -14,7 +14,11 @@ New features:
 
 Bug fixes:
 
-- *add item here*
+- Give a 404 when the user-information form is called with a not
+  existing userid.  [maurits]
+
+- Don't show unescaped user id in user-information form.
+  This applies PloneHotfix20160830.  [maurits]
 
 
 2.3.7 (2016-08-18)

diff --git a/plone/app/users/browser/userdatapanel.py b/plone/app/users/browser/userdatapanel.py
@@ -11,10 +11,14 @@
 from plone.app.users.browser.account import AccountPanelForm
 from plone.app.users.browser.account import AccountPanelSchemaAdapter
 from plone.registry.interfaces import IRegistry
+from zExceptions import NotFound
 
 from ..schema import IUserDataSchema
 from .schemaeditor import getFromBaseSchema
 
+import cgi
+
+
 
 class UserDataPanelAdapter(AccountPanelSchemaAdapter):
     """One does not simply set portrait, email might be used to login with.
@@ -72,7 +76,7 @@ def description(self):
             return _(
                 u'description_personal_information_form_otheruser',
                 default='Change personal information for $name',
-                mapping={'name': userid}
+                mapping={'name': cgi.escape(userid)}
             )
         else:
             # editing my own profile
@@ -82,6 +86,11 @@ def description(self):
             )
 
     def __call__(self):
+        userid = self.request.form.get('userid')
+        if userid:
+            mt = getToolByName(self.context, 'portal_membership')
+            if mt.getMemberById(userid) is None:
+                raise NotFound('User does not exist.')
         self.request.set('disable_border', 1)
         return super(UserDataPanel, self).__call__()
 

diff --git a/plone/app/users/tests/test_user_data_panel.py b/plone/app/users/tests/test_user_data_panel.py
@@ -0,0 +1,34 @@
+from zExceptions import NotFound
+from plone.app.users.browser.userdatapanel import UserDataPanel
+from plone.app.users.testing import PLONE_APP_USERS_FUNCTIONAL_TESTING
+from zope.i18n import translate
+
+import unittest
+
+
+class TestUserDataPanel(unittest.TestCase):
+
+    layer = PLONE_APP_USERS_FUNCTIONAL_TESTING
+
+    def test_regression(self):
+        portal = self.layer['portal']
+        request = self.layer['request']
+        request.form.update({
+            'userid': 'admin'
+        })
+        form = UserDataPanel(portal, request)
+        description = translate(form.description, context=request)
+        self.assertTrue('admin' in description)
+        # form can be called without raising exception.
+        self.assertTrue(form())
+
+    def test_escape_html(self):
+        portal = self.layer['portal']
+        request = self.layer['request']
+        request.form.update({
+            'userid': 'admin<script>alert("userid")</script>'
+        })
+        form = UserDataPanel(portal, request)
+        description = translate(form.description, context=request)
+        self.assertTrue('<script>' not in description)
+        self.assertRaises(NotFound, form)