hi samizdat-devel,
Here's a hack which i think fixes the password change bug
#20491
https://savan
nah.nongnu.org/bugs/?20491
The change in application_helper.rb - action_token_key is
clearly
a hack - a better solution would be in member_controller,
but
i didn't want to mess around with member_controller too
much.
IMHO the problem is confusion in the 2-stage process of
"change":
1. "index" method and  request.route = member -
presents a form for
the user to change his/her password (or other member
parameters) with
the
2. the "change" method and request.route =
member/change - checks the
data, checks for the action_token against cross-scripting
attacks, and
then does the change
The problem in 070618-1 is that the action_confirmed? script
compares tokens from member and member/change and finds that
something
is different and so rejects the attempted change.
The hack in application_helper.rb:
def action_token_key
- %{action_token/#{session.login}#{request.route}}
+ %{action_token/#{session.login}#{request.route}}.sub("/member/change","
/member")
end
is one way of hacking around this.
i've also made a change in member_controller, since despite
the
recommendation to users to press the 'back' button, some
users might
decide to log out after changing their password, without
bothering to
use the back button since they see a logout prompt already.
In the
absence of this change, something goes wrong and seems to
cause an
infinite URI redirect. Hence the change in
member_controller shifts
the feedback page to a separate method
"changed_ok".
patch: https://savannah.nongnu.org/bugs/download.php?file_id
=13575
cheers
boud
_______________________________________________
samizdat-devel mailing list
samizdat-develnongnu.org
http://lists.nongnu.org/mailman/listinfo/samizdat-devel
|