web/views/basecontrollers.py
branchstable
changeset 8605 797fc2e2fb78
parent 8487 017af22e7678
child 8609 112a04c0473d
--- a/web/views/basecontrollers.py	Wed Nov 28 11:44:15 2012 +0100
+++ b/web/views/basecontrollers.py	Tue Nov 27 14:48:03 2012 +0100
@@ -27,7 +27,8 @@
 from logilab.common.deprecation import deprecated
 
 from cubicweb import (NoSelectableObject, ObjectNotFound, ValidationError,
-                      AuthenticationError, typed_eid, UndoTransactionException)
+                      AuthenticationError, typed_eid, UndoTransactionException,
+                      Forbidden)
 from cubicweb.utils import json_dumps
 from cubicweb.predicates import (authenticated_user, anonymous_user,
                                 match_form_params)
@@ -276,9 +277,15 @@
 
     def publish(self, rset=None):
         req = self._cw
+        desc = req.form['description']
+        # The description is generated and signed by cubicweb itself, check
+        # description's signature so we don't want to send spam here
+        sign = req.form.get('__signature', '')
+        if not (sign and req.vreg.config.check_text_sign(desc, sign)):
+            raise Forbidden('Invalid content')
         self.sendmail(req.vreg.config['submit-mail'],
                       req._('%s error report') % req.vreg.config.appid,
-                      req.form['description'])
+                      desc)
         raise Redirect(req.build_url(__message=req._('bug report sent')))