Files
@ 8b47181750a8
Branch filter:
Location: kallithea/MANIFEST.in - annotation
8b47181750a8
1.1 KiB
text/plain
login: fix incorrect CSRF rejection of "Reset Your Password" form (Issue #350)
htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.
By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.
Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.
The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.
By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.
Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.
The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
8cea7986ed79 ff08d3cf9aef ff08d3cf9aef ff08d3cf9aef 8cea7986ed79 ff08d3cf9aef ff08d3cf9aef ff08d3cf9aef ff08d3cf9aef ddfecf9fe7f2 8cea7986ed79 ff08d3cf9aef 8cea7986ed79 8cea7986ed79 8cea7986ed79 2d7a94f3eaae 0e6035a85980 7894a440e134 ff08d3cf9aef 8cea7986ed79 19a9f02443c8 ff08d3cf9aef ff08d3cf9aef 7e5f8c12a3fc ff08d3cf9aef ff08d3cf9aef 8cea7986ed79 8cea7986ed79 ff08d3cf9aef 8cea7986ed79 | include .coveragerc
include Apache-License-2.0.txt
include CONTRIBUTORS
include COPYING
include Jenkinsfile
include LICENSE-MERGELY.html
include LICENSE.md
include MIT-Permissive-License.txt
include README.rst
include conftest.py
include dev_requirements.txt
include development.ini
include pytest.ini
include requirements.txt
include tox.ini
recursive-include docs *
recursive-include init.d *
recursive-include kallithea/alembic *
include kallithea/bin/ldap_sync.conf
include kallithea/lib/paster_commands/template.ini.mako
recursive-include kallithea/front-end *
recursive-include kallithea/i18n *
recursive-include kallithea/public *
recursive-include kallithea/templates *
recursive-include kallithea/tests/fixtures *
recursive-include kallithea/tests/scripts *
include kallithea/tests/models/test_dump_html_mails.ref.html
include kallithea/tests/performance/test_vcs.py
include kallithea/tests/vcs/aconfig
recursive-include scripts *
|