[tokkee]

tokkee.org

Code

projects / roundup.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: a7e6e07) | patch
Plug a number of security holes:
authorrichard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>
Thu, 12 Mar 2009 02:25:03 +0000 (02:25 +0000)
committerrichard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>
Thu, 12 Mar 2009 02:25:03 +0000 (02:25 +0000)
commit0de2c5584be47b04af7b389a1812a478a302dbc6
treec01418ae965397174a20fd3f2c254b703c2e7474tree | snapshot
parenta7e6e07a193dc636305fe29b683a2403d1d0b7eccommit | diff
Plug a number of security holes:

- EditCSV and ExportCSV altered to include permission checks
- HTTP POST required on actions which alter data
- HTML file uploads served as application/octet-stream
- New item action reject creation of new users
- Item retirement was not being controlled

Additionally include documentation of the changes and modify affected tests.

git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4180 57a73879-2fb5-44c3-a270-3262357dd7e2
12 files changed:
CHANGES.txt diff | blob | history
doc/customizing.txt diff | blob | history
doc/upgrading.txt diff | blob | history
roundup/__init__.py diff | blob | history
roundup/cgi/actions.py diff | blob | history
roundup/cgi/client.py diff | blob | history
roundup/cgi/templating.py diff | blob | history
roundup/configuration.py diff | blob | history
roundup/security.py diff | blob | history
share/roundup/templates/classic/html/user.index.html diff | blob | history
share/roundup/templates/classic/schema.py diff | blob | history
test/test_cgi.py diff | blob | history
Roundup Issue Tracker (SVN clone)