Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

SECURITY bug fix #7

Merged
merged 1 commit into from

2 participants

@tomwys

With current implementation user data is leaking. If django-envelope prefills form, all non-logged in users see pre-filled data.

@zsiciarz zsiciarz merged commit 9149a59 into from
@zsiciarz
Owner

Oh bugger! thanks for catching this, 0.4.1 with the fix will be out soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 3, 2012
  1. @tomwys

    Fix ContactView.get_initial.

    tomwys authored
This page is out of date. Refresh to see the latest.
Showing with 7 additions and 1 deletion.
  1. +6 −0 envelope/tests/views.py
  2. +1 −1  envelope/views.py
View
6 envelope/tests/views.py
@@ -3,6 +3,7 @@
"""
from django.conf import settings
+from django.contrib.auth import logout
from django.contrib.auth.models import User
from django.core.urlresolvers import reverse
from django.test import TestCase
@@ -52,6 +53,11 @@ def test_prefilled_form(self):
self.assertContains(response, 'value="test (John Doe)"')
self.assertContains(response, 'value="test@example.org"')
+ self.client.logout()
+ response = self.client.get(self.url)
+ self.assertNotContains(response, 'value="test (John Doe)"')
+ self.assertNotContains(response, 'value="test@example.org"')
+
def test_prefilled_form_no_full_name(self):
u"""
In case the user is authenticated, but doesn't have his first and last
View
2  envelope/views.py
@@ -67,7 +67,7 @@ def get_initial(self):
u"""
Automatically fills form fields for authenticated users.
"""
- initial = super(ContactView, self).get_initial()
+ initial = super(ContactView, self).get_initial().copy()
user = self.request.user
if user.is_authenticated():
# the user might not have a full name, depends on the registration
Something went wrong with that request. Please try again.