From 34dbc4ea8e3b3c562ed3b5baff53e6665504b0ec Mon Sep 17 00:00:00 2001 From: Anand Doshi Date: Thu, 24 Sep 2015 19:54:37 +0530 Subject: [PATCH 1/4] [fix] allow a method to be defined as xss_safe --- frappe/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/frappe/__init__.py b/frappe/__init__.py index a73abfd1b2..fc8d85c287 100644 --- a/frappe/__init__.py +++ b/frappe/__init__.py @@ -368,7 +368,7 @@ def whitelist(allow_guest=False, xss_safe=False): pass """ def innerfn(fn): - global whitelisted, guest_methods + global whitelisted, guest_methods, xss_safe_methods whitelisted.append(fn) if allow_guest: From 17f911c6dc59361f5df7bc3d2ac6b341768f12f2 Mon Sep 17 00:00:00 2001 From: Anand Doshi Date: Fri, 25 Sep 2015 12:55:44 +0530 Subject: [PATCH 2/4] [fix] csrf for open_url_post --- frappe/auth.py | 7 ++++++- frappe/public/js/legacy/handler.js | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/frappe/auth.py b/frappe/auth.py index 72fdadd9a9..2cff14e097 100644 --- a/frappe/auth.py +++ b/frappe/auth.py @@ -61,7 +61,12 @@ class HTTPRequest: # not via boot return - if frappe.local.session.data.csrf_token != frappe.get_request_header("X-Frappe-CSRF-Token"): + csrf_token = frappe.get_request_header("X-Frappe-CSRF-Token") + if not csrf_token and "csrf_token" in frappe.local.form_dict: + csrf_token = frappe.local.form_dict.csrf_token + del frappe.local.form_dict["csrf_token"] + + if frappe.local.session.data.csrf_token != csrf_token: frappe.local.flags.disable_traceback = True frappe.throw(_("Invalid Request"), frappe.CSRFTokenError) diff --git a/frappe/public/js/legacy/handler.js b/frappe/public/js/legacy/handler.js index 96d3f7adb9..9b0ee5a656 100644 --- a/frappe/public/js/legacy/handler.js +++ b/frappe/public/js/legacy/handler.js @@ -86,6 +86,7 @@ function open_url_post(URL, PARAMS, new_window) { if(new_window){ temp.target = '_blank'; } + PARAMS["csrf_token"] = frappe.csrf_token; for(var x in PARAMS) { var opt=document.createElement("textarea"); opt.name=x; From d792ba7abfb98270e9c368f9f4cdfecba5ec639c Mon Sep 17 00:00:00 2001 From: Anand Doshi Date: Fri, 25 Sep 2015 13:04:13 +0530 Subject: [PATCH 3/4] [fix] make map_current_doc a POST request --- frappe/public/js/frappe/model/create_new.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/frappe/public/js/frappe/model/create_new.js b/frappe/public/js/frappe/model/create_new.js index 5e6a56219d..3c81c4e6fd 100644 --- a/frappe/public/js/frappe/model/create_new.js +++ b/frappe/public/js/frappe/model/create_new.js @@ -241,7 +241,9 @@ $.extend(frappe.model, { } var _map = function() { return frappe.call({ - type: "GET", + // Sometimes we hit the limit for URL length of a GET request + // as we send the full target_doc. Hence this is a POST request. + type: "POST", method: opts.method, args: { "source_name": opts.source_name, From 2f5a903f963f57cd09065d237e2176462b0f5f91 Mon Sep 17 00:00:00 2001 From: Anand Doshi Date: Fri, 25 Sep 2015 13:37:20 +0600 Subject: [PATCH 4/4] bumped to version 6.4.4 --- frappe/__version__.py | 2 +- frappe/hooks.py | 2 +- setup.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/frappe/__version__.py b/frappe/__version__.py index fce0ca0b23..1ee0cffaac 100644 --- a/frappe/__version__.py +++ b/frappe/__version__.py @@ -1,2 +1,2 @@ from __future__ import unicode_literals -__version__ = "6.4.3" +__version__ = "6.4.4" diff --git a/frappe/hooks.py b/frappe/hooks.py index f9e7a0981f..114bbd0cc2 100644 --- a/frappe/hooks.py +++ b/frappe/hooks.py @@ -26,7 +26,7 @@ to ERPNext. """ app_icon = "octicon octicon-circuit-board" -app_version = "6.4.3" +app_version = "6.4.4" app_color = "orange" github_link = "https://github.com/frappe/frappe" diff --git a/setup.py b/setup.py index 6ca8656a46..4f738c389c 100644 --- a/setup.py +++ b/setup.py @@ -1,6 +1,6 @@ from setuptools import setup, find_packages -version = "6.4.3" +version = "6.4.4" with open("requirements.txt", "r") as f: install_requires = f.readlines()