From b08301e544263436e09762b0b252c96e732d14d0 Mon Sep 17 00:00:00 2001
From: Olivier Dony <odo@odoo.com>
Date: Thu, 11 Mar 2021 12:57:36 +0100
Subject: [PATCH] [FIX] web: expect explicit sign up parameters

Using an explicit list of sign up parameters will avoid
polluting the context with unrelated values, and make
debugging easier.
---
 addons/auth_signup/controllers/main.py | 4 ++--
 addons/web/controllers/main.py         | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/addons/auth_signup/controllers/main.py b/addons/auth_signup/controllers/main.py
index ef24343a6c21..26c8d4a89eea 100644
--- a/addons/auth_signup/controllers/main.py
+++ b/addons/auth_signup/controllers/main.py
@@ -5,7 +5,7 @@ import werkzeug
 
 from odoo import http, _
 from odoo.addons.auth_signup.models.res_users import SignupError
-from odoo.addons.web.controllers.main import ensure_db, Home
+from odoo.addons.web.controllers.main import ensure_db, Home, SIGN_UP_REQUEST_PARAMS
 from odoo.addons.base_setup.controllers.main import BaseSetup
 from odoo.exceptions import UserError
 from odoo.http import request
@@ -104,7 +104,7 @@ class AuthSignupHome(Home):
 
     def get_auth_signup_qcontext(self):
         """ Shared helper returning the rendering context for signup and reset password """
-        qcontext = request.params.copy()
+        qcontext = {k: v for (k, v) in request.params.items() if k in SIGN_UP_REQUEST_PARAMS}
         qcontext.update(self.get_auth_signup_config())
         if not qcontext.get('token') and request.session.get('auth_signup_token'):
             qcontext['token'] = request.session.get('auth_signup_token')
diff --git a/addons/web/controllers/main.py b/addons/web/controllers/main.py
index eb8a8621e51b..8b1631dc7e3a 100644
--- a/addons/web/controllers/main.py
+++ b/addons/web/controllers/main.py
@@ -607,6 +607,10 @@ class HomeStaticTemplateHelpers(object):
     def get_qweb_templates(cls, addons, db=None, debug=False):
         return cls(addons, db, debug=debug)._get_qweb_templates()[0]
 
+# Shared parameters for all login/signup flows
+SIGN_UP_REQUEST_PARAMS = {'db', 'login', 'debug', 'token', 'message', 'error', 'scope', 'mode',
+                          'redirect', 'redirect_hostname', 'email', 'name', 'partner_id',
+                          'password', 'confirm_password', 'city', 'country_id', 'lang'}
 
 class GroupsTreeNode:
     """
@@ -899,7 +903,7 @@ class Home(http.Controller):
         if not request.uid:
             request.uid = odoo.SUPERUSER_ID
 
-        values = request.params.copy()
+        values = {k: v for k, v in request.params.items() if k in SIGN_UP_REQUEST_PARAMS}
         try:
             values['databases'] = http.db_list()
         except odoo.exceptions.AccessDenied:
-- 
GitLab