1. 10 Nov, 2016 1 commit
    • Arnaud Fontaine's avatar
      Backport: Base_callDialogMethod: Do not redirect when form has a password field. · 8cc8fb5d
      Arnaud Fontaine authored
      If it is the case *and* the action script does not redirect, the password will be
      in user's browser history.
      There can be two different reasons to not redirect:
      - not following the API (ie, intentionally not redirecting)
      - letting an exception reach ZPublisher
      Also, if the non-redirection causes an HTML page to be rendered, resources
      loaded by that page will have a referrer containing the password, leaking it
      to potentially foreign servers.
      8cc8fb5d
  2. 04 Nov, 2016 2 commits
  3. 21 Oct, 2016 2 commits
    • Arnaud Fontaine's avatar
      Backport 6fd21826 ListBox fix from master branch (#KMS-819). · 78445246
      Arnaud Fontaine authored
      ListBox: Navigation methods should not be created when rendering ListBox (#20161014-741678).
      
      These methods were generated when rendering the ListBox and with the id
      of the ListBox in their name. However, a customer reported the following
      problem on Accounting Periods ListBox:
      
        1. Display Accounting Period ListBox on ZEO-1.
             => The ListBox will be rendered and 'listbox_period_list_*' methods will be generated on ZEO-1.
        2.  Click on 'Next Page' button and the user is redirect to ZEO-2 where the ListBox has never been generated.
             => The method does not exist yet and thus a 404 error is raised.
      
      Instead of having one method per ListBox ID, only one is now created (eg
      listbox_setPage() for SelectionTool.setPage()) at Zope startup and the
      ListBox ID previously defined in the method name is now defined in the
      value attributes of the buttons.
      78445246
    • Arnaud Fontaine's avatar
      Portal Type as Classes: Fix memory leak: Workflow method list was never... · 3ecb8c85
      Arnaud Fontaine authored
      Portal Type as Classes: Fix memory leak: Workflow method list was never emptied and thus reset Workflow Methods were never GC.
      3ecb8c85
  4. 04 Apr, 2016 1 commit
    • Julien Muchembled's avatar
      Fix memory leak and DoS in ERP5Site.log() and Base.log() · 34cb27f2
      Julien Muchembled authored
      ERP5Site.log and Base.log are wrappers to the 'log' function from
      Product.ERP5Type.Log, but parameters were forwarded in a wrong way
      when called with a single argument:
      
        self.log(message) # Base method
      
      This was equivalent to:
      
        log(message, '')  # function from Product.ERP5Type.Log
      
      And the whole message was later part of subsystem in:
      
        logger = logging.getLogger(subsystem)
      
      But because loggers are never freed, it is important that 'subsystem' does not
      vary too often, to avoid a memory leak.
      
      The fix is to simply forwarding parameters with catchall arguments, instead of
      duplicating the signature from Product.ERP5Type.Log.
      
      Of course, it remains important to call these methods correctly, otherwise
      memory leaks can happen again. For this reason, catchall arguments also
      prevents ERP5Site.log and Base.log to be called by ZPublisher.
      Reported-by: Kirill Smelkov's avatarKirill Smelkov <kirr@nexedi.com>
      Reviewed-by: Kirill Smelkov's avatarKirill Smelkov <kirr@nexedi.com>
      34cb27f2
  5. 10 Jun, 2015 1 commit
  6. 25 Nov, 2014 2 commits
  7. 05 Nov, 2014 1 commit
  8. 22 Sep, 2014 1 commit
  9. 05 Sep, 2014 1 commit
  10. 04 Sep, 2014 1 commit
  11. 25 Aug, 2014 2 commits
  12. 29 Jul, 2014 1 commit
  13. 06 Mar, 2014 1 commit
  14. 13 Dec, 2013 1 commit
  15. 12 Dec, 2013 1 commit
    • Arnaud Fontaine's avatar
      Support properly HTML5 implicit form submission. · 2ceffaa9
      Arnaud Fontaine authored
      From Chromium 31, pressing enter key to select ListBox page submit the form
      through JS (submitFormOnEnter) *and* wrongly on the default button, at the end
      following HTML5 behavior (4.10.22.2 Implicit submission).
      
      Conflicts:
      	product/ERP5/bootstrap/erp5_xhtml_style/bt/change_log
      	product/ERP5/bootstrap/erp5_xhtml_style/bt/revision
      2ceffaa9
  16. 31 Oct, 2013 1 commit
    • Arnaud Fontaine's avatar
      Portal Type as Classes, ZODB Property Sheets: Ensure that they are reset on · 86fc5cb4
      Arnaud Fontaine authored
      other ZEO clients even if ZODB Components are not.
      
      Steps to reproduce:
      
        1/ On zope1, view and edit a person to make sure class is fully loaded.
        2/ On zope2 add an interaction in person_interaction_workflow and add a script raising an exception.
        3/ Edit a person on zope2. The exception is raised, confirming that the interaction is called.
      
        When editing a person on zope1, the exception is not raised.
      86fc5cb4
  17. 29 Oct, 2013 1 commit
    • Tatuya Kamada's avatar
      AccessTab: Fix an accesstab front page caching problem. · 5d6af31e
      Tatuya Kamada authored
      Fix a problem that access-tab-front-page wrongly caching old page, for example,
      even if a user switching to use 'https' from 'http', old 'http' links are
      remaining at the front page.
      
      That was because the key of the CachingMethod which was used for caching the
      page was ('user' and 'language').
      Now the caching key is ('user', 'language' and 'site_url').
      5d6af31e
  18. 13 Sep, 2013 1 commit
  19. 05 Sep, 2013 1 commit
  20. 21 Aug, 2013 1 commit
  21. 19 Aug, 2013 7 commits
  22. 09 Aug, 2013 3 commits
  23. 08 Aug, 2013 6 commits