Commit 8cc8fb5d authored by Arnaud Fontaine's avatar Arnaud Fontaine

Backport: Base_callDialogMethod: Do not redirect when form has a password field.

If it is the case *and* the action script does not redirect, the password will be
in user's browser history.
There can be two different reasons to not redirect:
- not following the API (ie, intentionally not redirecting)
- letting an exception reach ZPublisher
Also, if the non-redirection causes an HTML page to be rendered, resources
loaded by that page will have a referrer containing the password, leaking it
to potentially foreign servers.
parent b15f7905
......@@ -60,14 +60,12 @@ from Products.ERP5Type.Log import log\n
\n
# XXX We should not use meta_type properly,\n
# XXX We need to discuss this problem.(yusei)\n
def isFieldType(field, type_name):\n
if field.meta_type == \'ProxyField\':\n
field = field.getRecursiveTemplateField()\n
return field.meta_type == type_name\n
def isListBox(field):\n
if field.meta_type==\'ListBox\':\n
return True\n
elif field.meta_type==\'ProxyField\':\n
template_field = field.getRecursiveTemplateField()\n
if template_field.meta_type==\'ListBox\':\n
return True\n
return False\n
return isFieldType(field, \'ListBox\')\n
\n
from Products.Formulator.Errors import FormValidationError\n
from ZTUtils import make_query\n
......@@ -167,7 +165,7 @@ for field in form.get_fields():\n
if v is not MARKER:\n
if isListBox(field):\n
listbox_id_list.append(k)\n
elif can_redirect and (v in (None, [], ()) or hasattr(v, \'read\')) : # If we cannot redirect, useless to test it again\n
elif can_redirect and (v in (None, [], ()) or hasattr(v, \'read\') or \'password\' in k or isFieldType(field, \'PasswordField\')) : # If we cannot redirect, useless to test it again\n
can_redirect = 0\n
\n
# Cleanup my_ and your_ prefixes\n
......
41108
\ No newline at end of file
41109
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment