Merge pull request #22147 from frappe/version-13-hotfix

chore: release v13
frappe · Aug 22, 2023 · db0a164 · db0a164
2 parents 441c7ab + dd75f6c
commit db0a164
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 4 deletions.
diff --git a/frappe/core/doctype/user/test_user.py b/frappe/core/doctype/user/test_user.py
@@ -361,6 +361,9 @@ def test_reset_password(self):
 		set_request(path="/random")
 		frappe.local.cookie_manager = CookieManager()
 		frappe.local.login_manager = LoginManager()
+		# used by rate limiter when calling reset_password
+		frappe.local.request_ip = "127.0.0.69"
+		frappe.db.set_single_value("System Settings", "password_reset_limit", 6)
 
 		frappe.set_user("testpassword@example.com")
 		test_user = frappe.get_doc("User", "testpassword@example.com")

diff --git a/frappe/core/doctype/user/user.py b/frappe/core/doctype/user/user.py
@@ -869,7 +869,7 @@ def sign_up(email, full_name, redirect_to):
 
 
 @frappe.whitelist(allow_guest=True)
-@rate_limit(limit=get_password_reset_limit, seconds=24 * 60 * 60, methods=["POST"])
+@rate_limit(limit=get_password_reset_limit, seconds=24 * 60 * 60)
 def reset_password(user):
 	if user == "Administrator":
 		return "not allowed"

diff --git a/frappe/utils/jinja.py b/frappe/utils/jinja.py
@@ -5,14 +5,24 @@
 
 def get_jenv():
 	import frappe
-	from frappe.utils.safe_exec import get_safe_globals
 
 	if not getattr(frappe.local, "jenv", None):
 		from jinja2 import DebugUndefined
 		from jinja2.sandbox import SandboxedEnvironment
 
+		from frappe.utils.safe_exec import UNSAFE_ATTRIBUTES, get_safe_globals
+
+		UNSAFE_ATTRIBUTES = UNSAFE_ATTRIBUTES - {"format", "format_map"}
+
+		class FrappeSandboxedEnvironment(SandboxedEnvironment):
+			def is_safe_attribute(self, obj, attr, *args, **kwargs):
+				if attr in UNSAFE_ATTRIBUTES:
+					return False
+
+				return super().is_safe_attribute(obj, attr, *args, **kwargs)
+
 		# frappe will be loaded last, so app templates will get precedence
-		jenv = SandboxedEnvironment(loader=get_jloader(), undefined=DebugUndefined)
+		jenv = FrappeSandboxedEnvironment(loader=get_jloader(), undefined=DebugUndefined)
 		set_filters(jenv)
 
 		jenv.globals.update(get_safe_globals())

diff --git a/frappe/website/doctype/web_form/web_form.py b/frappe/website/doctype/web_form/web_form.py
@@ -412,7 +412,7 @@ def get_web_form_module(doc):
 
 
 @frappe.whitelist(allow_guest=True)
-@rate_limit(key="web_form", limit=5, seconds=60, methods=["POST"])
+@rate_limit(key="web_form", limit=5, seconds=60)
 def accept(web_form, data, for_payment=False):
 	"""Save the web form"""
 	data = frappe._dict(json.loads(data))