Merge branch 'develop'

frappe/__init__.py

@@ -368,7 +368,7 @@ def whitelist(allow_guest=False, xss_safe=False):
 			pass
 	"""
 	def innerfn(fn):
-		global whitelisted, guest_methods
+		global whitelisted, guest_methods, xss_safe_methods
 		whitelisted.append(fn)
 
 		if allow_guest:

frappe/__version__.py

@@ -1,2 +1,2 @@
 from __future__ import unicode_literals
-__version__ = "6.4.3"
+__version__ = "6.4.4"

frappe/auth.py

@@ -61,7 +61,12 @@ class HTTPRequest:
 				# not via boot
 				return
 
-			if frappe.local.session.data.csrf_token != frappe.get_request_header("X-Frappe-CSRF-Token"):
+			csrf_token = frappe.get_request_header("X-Frappe-CSRF-Token")
+			if not csrf_token and "csrf_token" in frappe.local.form_dict:
+				csrf_token = frappe.local.form_dict.csrf_token
+				del frappe.local.form_dict["csrf_token"]
+
+			if frappe.local.session.data.csrf_token != csrf_token:
 				frappe.local.flags.disable_traceback = True
 				frappe.throw(_("Invalid Request"), frappe.CSRFTokenError)
 

frappe/hooks.py

@@ -26,7 +26,7 @@ to ERPNext.
 """
 
 app_icon = "octicon octicon-circuit-board"
-app_version = "6.4.3"
+app_version = "6.4.4"
 app_color = "orange"
 github_link = "https://github.com/frappe/frappe"
 

frappe/public/js/frappe/model/create_new.js

@@ -241,7 +241,9 @@ $.extend(frappe.model, {
 		}
 		var _map = function() {
 			return frappe.call({
-				type: "GET",
+				// Sometimes we hit the limit for URL length of a GET request
+				// as we send the full target_doc. Hence this is a POST request.
+				type: "POST",
 				method: opts.method,
 				args: {
 					"source_name": opts.source_name,

frappe/public/js/legacy/handler.js

@@ -86,6 +86,7 @@ function open_url_post(URL, PARAMS, new_window) {
 	if(new_window){
 		temp.target = '_blank';
 	}
+	PARAMS["csrf_token"] = frappe.csrf_token;
 	for(var x in PARAMS) {
 		var opt=document.createElement("textarea");
 		opt.name=x;

setup.py

@@ -1,6 +1,6 @@
 from setuptools import setup, find_packages
 
-version = "6.4.3"
+version = "6.4.4"
 
 with open("requirements.txt", "r") as f:
 	install_requires = f.readlines()