Files
@ 8b47181750a8
Branch filter:
Location: kallithea/conftest.py - annotation
8b47181750a8
1.2 KiB
text/x-python
login: fix incorrect CSRF rejection of "Reset Your Password" form (Issue #350)
htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.
By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.
Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.
The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.
By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.
Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.
The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
0a277465fddf 0a277465fddf afa5e0bdb76f afa5e0bdb76f 0a277465fddf afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f afa5e0bdb76f 3929ff3f21c6 3929ff3f21c6 3929ff3f21c6 3929ff3f21c6 3929ff3f21c6 3929ff3f21c6 3929ff3f21c6 3929ff3f21c6 3929ff3f21c6 3929ff3f21c6 3929ff3f21c6 3929ff3f21c6 3929ff3f21c6 | import os
import mock
import pytest
here = os.path.dirname(__file__)
def pytest_ignore_collect(path):
# ignore all files outside the 'kallithea' directory
if not str(path).startswith(os.path.join(here, 'kallithea')):
return True
# during doctest verification, normally all python files will be imported.
# Thus, files that cannot be imported normally should be ignored.
# Files that generate ImportErrors are ignored via
# '--doctest-ignore-import-errors' (pytest.ini)
kallithea_ignore_paths = (
# AttributeError: 'module' object has no attribute 'config'
'/kallithea/alembic/env.py',
# collection of the following file messes up the rest of test execution
'/kallithea/tests/scripts/manual_test_concurrency.py',
)
if str(path).endswith(kallithea_ignore_paths):
return True
@pytest.fixture()
def doctest_mock_ugettext(request):
"""Mock ugettext ('_') in the module using this fixture.
Intended to be used for doctests.
In a doctest, enable this fixture using:
>>> getfixture('doctest_mock_ugettext')
"""
m = __import__(request.module.__name__, globals(), locals(), [None], 0)
with mock.patch.object(m, '_', lambda s: s):
yield
|