data leakage between users
|Reported by:||Brett||Owned by:||peca|
This is a periodic one and is probably only applicable to mod_python (and possibly FCGI) installations but all versions of trac.
Basically, when creating a DownloadData object, it initializes self.schema to the form_data.quest_form object. This is only a reference though. As the code sets values in self.schema, it is also setting them in the global form_data.quest_form. When a different user's request is handled by the same mod_python process, their form data is now prefilled with the data entered by the last user that was served by that process. Unfortunately, this can include sensitive information.
My solution was to import copy and then change the assignment in init to a deepcopy operation.
self.schema = copy.deepcopy(form_data.quest_form)