fixed guessable CSRF token when detect_record_change, thanks Stephen Röttger

This commit is contained in:
mdipierro
2014-07-02 08:27:02 -05:00
parent eec39aeeec
commit 55016cbd4d
4 changed files with 6 additions and 6 deletions
+1 -1
View File
@@ -1 +1 @@
Version 2.9.5-trunk+timestamp.2014.07.02.07.25.19
Version 2.9.5-trunk+timestamp.2014.07.02.08.25.23
+1 -1
View File
@@ -222,7 +222,7 @@ class Collection(object):
'href':URL(args=request.args,vars=vars,scheme=True)}
if self.extensions and limitby[0]>0:
vars = dict(request.get_vars)
vars['_offset'] = max(0,limitby[0]-1-delta)
vars['_offset'] = max(0,limitby[0]-delta)
vars['_limit'] = limitby[0]
r['previous'] = {'rel':'previous',
'href':URL(args=request.args,vars=vars,scheme=True)}
+2 -2
View File
@@ -133,6 +133,8 @@ def populate_generator(table, default=True, compute=False, contents={}):
continue
elif field.type == 'id':
continue
elif field.type == 'upload':
continue
elif default and not field.default in (None, ''):
record[fieldname] = field.default
elif compute and field.compute:
@@ -153,8 +155,6 @@ def populate_generator(table, default=True, compute=False, contents={}):
record[fieldname] = datetime.time(h, m, 0)
elif field.type == 'password':
record[fieldname] = ''
elif field.type == 'upload':
record[fieldname] = None
elif field.type == 'integer' and \
hasattr(field.requires, 'options'):
options = field.requires.options(zero=False)
+2 -2
View File
@@ -2101,7 +2101,7 @@ class FORM(DIV):
status = False
if status and session:
# check if editing a record that has been modified by the server
if hasattr(self, 'record_hash') and self.record_hash != formkey:
if hasattr(self, 'record_hash') and self.record_hash != formkey.split(':')[0]:
status = False
self.record_changed = changed = True
status = self._traverse(status, hideerror)
@@ -2129,7 +2129,7 @@ class FORM(DIV):
status = False
if not session is None:
if hasattr(self, 'record_hash'):
formkey = self.record_hash
formkey = self.record_hash+':'+web2py_uuid()
else:
formkey = web2py_uuid()
self.formkey = formkey