dinislage/web2py
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed potential vulnerability in form CRSF handling, thanks Anthony

Browse Source
This commit is contained in:
mdipierro
2013-04-28 23:09:49 -05:00
parent 31e992696c
commit 681bc9755e
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
VERSION
+1 -1
View File
@@ -1 +1 @@
Version 2.4.6-stable+timestamp.2013.04.28.23.04.43
Version 2.4.6-stable+timestamp.2013.04.28.23.09.04
gluon/html.py
+1 -1
View File
@@ -1995,7 +1995,7 @@ class FORM(DIV):
if session is not None:
formkey = session.get('_formkey[%s]' % formname, None)
# check if user tampering with form and void CSRF
if formkey != request_vars._formkey:
if not formkey or formkey != request_vars._formkey:
status = False
if formname != request_vars._formname:
status = False