Fossil SCM
/announce page: add an explicit ACTION value for the form so that a 'to=...' URL parameter does not end up shadowing the 'to' field of the form and causing the announcement to be sent to the URL-provided address even if that form field is edited.
Commit
2fa43ef4fb5adaf4053229470c5c4eaf1c01f716c9424ae070cde54f09ffe09d
Parent
da9f362015a3f77…
1 file changed
+9
-1
+9
-1
| --- src/alerts.c | ||
| +++ src/alerts.c | ||
| @@ -3255,18 +3255,26 @@ | ||
| 3255 | 3255 | ** also send a message to an arbitrary email address and/or to all |
| 3256 | 3256 | ** subscribers regardless of whether or not they have elected to |
| 3257 | 3257 | ** receive announcements. |
| 3258 | 3258 | */ |
| 3259 | 3259 | void announce_page(void){ |
| 3260 | + const char *zAction = "announce" | |
| 3261 | + /* Maintenance reminder: we need an explicit action=THIS_PAGE on the | |
| 3262 | + ** form element to avoid that a URL arg of to=... passed to this | |
| 3263 | + ** page ends up overwriting the form-posted "to" value. This | |
| 3264 | + ** action value differs for the test1 request path. | |
| 3265 | + */; | |
| 3266 | + | |
| 3260 | 3267 | login_check_credentials(); |
| 3261 | 3268 | if( !g.perm.Announce ){ |
| 3262 | 3269 | login_needed(0); |
| 3263 | 3270 | return; |
| 3264 | 3271 | } |
| 3265 | 3272 | style_set_current_feature("alerts"); |
| 3266 | 3273 | if( fossil_strcmp(P("name"),"test1")==0 ){ |
| 3267 | 3274 | /* Visit the /announce/test1 page to see the CGI variables */ |
| 3275 | + zAction = "announce/test1"; | |
| 3268 | 3276 | @ <p style='border: 1px solid black; padding: 1ex;'> |
| 3269 | 3277 | cgi_print_all(0, 0); |
| 3270 | 3278 | @ </p> |
| 3271 | 3279 | }else if( P("submit")!=0 && cgi_csrf_safe(1) ){ |
| 3272 | 3280 | char *zErr = alert_send_announcement(); |
| @@ -3290,11 +3298,11 @@ | ||
| 3290 | 3298 | @ for this repository.</p> |
| 3291 | 3299 | return; |
| 3292 | 3300 | } |
| 3293 | 3301 | |
| 3294 | 3302 | style_header("Send Announcement"); |
| 3295 | - @ <form method="POST"> | |
| 3303 | + @ <form method="POST" action="%R/%s(zAction)"> | |
| 3296 | 3304 | @ <table class="subscribe"> |
| 3297 | 3305 | if( g.perm.Admin ){ |
| 3298 | 3306 | int aa = PB("aa"); |
| 3299 | 3307 | int all = PB("all"); |
| 3300 | 3308 | int aMod = PB("mods"); |
| 3301 | 3309 |
| --- src/alerts.c | |
| +++ src/alerts.c | |
| @@ -3255,18 +3255,26 @@ | |
| 3255 | ** also send a message to an arbitrary email address and/or to all |
| 3256 | ** subscribers regardless of whether or not they have elected to |
| 3257 | ** receive announcements. |
| 3258 | */ |
| 3259 | void announce_page(void){ |
| 3260 | login_check_credentials(); |
| 3261 | if( !g.perm.Announce ){ |
| 3262 | login_needed(0); |
| 3263 | return; |
| 3264 | } |
| 3265 | style_set_current_feature("alerts"); |
| 3266 | if( fossil_strcmp(P("name"),"test1")==0 ){ |
| 3267 | /* Visit the /announce/test1 page to see the CGI variables */ |
| 3268 | @ <p style='border: 1px solid black; padding: 1ex;'> |
| 3269 | cgi_print_all(0, 0); |
| 3270 | @ </p> |
| 3271 | }else if( P("submit")!=0 && cgi_csrf_safe(1) ){ |
| 3272 | char *zErr = alert_send_announcement(); |
| @@ -3290,11 +3298,11 @@ | |
| 3290 | @ for this repository.</p> |
| 3291 | return; |
| 3292 | } |
| 3293 | |
| 3294 | style_header("Send Announcement"); |
| 3295 | @ <form method="POST"> |
| 3296 | @ <table class="subscribe"> |
| 3297 | if( g.perm.Admin ){ |
| 3298 | int aa = PB("aa"); |
| 3299 | int all = PB("all"); |
| 3300 | int aMod = PB("mods"); |
| 3301 |
| --- src/alerts.c | |
| +++ src/alerts.c | |
| @@ -3255,18 +3255,26 @@ | |
| 3255 | ** also send a message to an arbitrary email address and/or to all |
| 3256 | ** subscribers regardless of whether or not they have elected to |
| 3257 | ** receive announcements. |
| 3258 | */ |
| 3259 | void announce_page(void){ |
| 3260 | const char *zAction = "announce" |
| 3261 | /* Maintenance reminder: we need an explicit action=THIS_PAGE on the |
| 3262 | ** form element to avoid that a URL arg of to=... passed to this |
| 3263 | ** page ends up overwriting the form-posted "to" value. This |
| 3264 | ** action value differs for the test1 request path. |
| 3265 | */; |
| 3266 | |
| 3267 | login_check_credentials(); |
| 3268 | if( !g.perm.Announce ){ |
| 3269 | login_needed(0); |
| 3270 | return; |
| 3271 | } |
| 3272 | style_set_current_feature("alerts"); |
| 3273 | if( fossil_strcmp(P("name"),"test1")==0 ){ |
| 3274 | /* Visit the /announce/test1 page to see the CGI variables */ |
| 3275 | zAction = "announce/test1"; |
| 3276 | @ <p style='border: 1px solid black; padding: 1ex;'> |
| 3277 | cgi_print_all(0, 0); |
| 3278 | @ </p> |
| 3279 | }else if( P("submit")!=0 && cgi_csrf_safe(1) ){ |
| 3280 | char *zErr = alert_send_announcement(); |
| @@ -3290,11 +3298,11 @@ | |
| 3298 | @ for this repository.</p> |
| 3299 | return; |
| 3300 | } |
| 3301 | |
| 3302 | style_header("Send Announcement"); |
| 3303 | @ <form method="POST" action="%R/%s(zAction)"> |
| 3304 | @ <table class="subscribe"> |
| 3305 | if( g.perm.Admin ){ |
| 3306 | int aa = PB("aa"); |
| 3307 | int all = PB("all"); |
| 3308 | int aMod = PB("mods"); |
| 3309 |