diff --git a/README.md b/README.md index 8156d3f1..e4eddf7d 100644 --- a/README.md +++ b/README.md @@ -112,6 +112,7 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/ This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately. * Generate a new session on login and 2FA #220 +* Mitigate CSRF on user's settings #221 ## 2.4.6 (2022-09-20) diff --git a/rdiffweb/controller/pref_general.py b/rdiffweb/controller/pref_general.py index 3bc01ee9..0f2faaa8 100644 --- a/rdiffweb/controller/pref_general.py +++ b/rdiffweb/controller/pref_general.py @@ -116,18 +116,19 @@ def render_prefs_panel(self, panelid, action=None, **kwargs): # @UnusedVariable # Process the parameters. profile_form = UserProfileForm(email=self.app.currentuser.email) password_form = UserPasswordForm() - if action == "set_profile_info": - self._handle_set_profile_info(action, profile_form) - elif action == "set_password": - self._handle_set_password(action, password_form) - elif action == "update_repos": - self.app.currentuser.refresh_repos(delete=True) - flash(_("Repositories successfully updated"), level='success') - elif action is None: - pass - else: - _logger.warning("unknown action: %s", action) - raise cherrypy.NotFound("Unknown action") + if cherrypy.request.method == 'POST': + if action == "set_profile_info": + self._handle_set_profile_info(action, profile_form) + elif action == "set_password": + self._handle_set_password(action, password_form) + elif action == "update_repos": + self.app.currentuser.refresh_repos(delete=True) + flash(_("Repositories successfully updated"), level='success') + elif action is None: + pass + else: + _logger.warning("unknown action: %s", action) + raise cherrypy.NotFound("Unknown action") params = { 'profile_form': profile_form, 'password_form': password_form,