Files @ 8b47181750a8
Branch filter:

Location: kallithea/docs/index.rst - annotation

8b47181750a8 1.3 KiB text/prs.fallenstein.rst Show Source Show as Raw Download as Raw
Mads Kiilerich
login: fix incorrect CSRF rejection of "Reset Your Password" form (Issue #350)

htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.

By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.

Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.

The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
5f481e4e888b
5f481e4e888b
22a3fa3c4254
beb4cbf30d00
22a3fa3c4254
22a3fa3c4254
e71216a16853
e71216a16853
e71216a16853
2cbdbf55ed99
e71216a16853
2cbdbf55ed99
bdd1ddd05b7c
03bbd33bc084
03bbd33bc084
5f481e4e888b
03bbd33bc084
03bbd33bc084
2cbdbf55ed99
e71216a16853
2cbdbf55ed99
e71216a16853
e71216a16853
5f481e4e888b
5f481e4e888b
5f481e4e888b
5f481e4e888b
154becd92f40
5f481e4e888b
64b1a2320bcb
d95ea48af67b
e69d34136be5
57caeb60c52b
8075ec3d0233
8b8edfc25856
e71216a16853
e71216a16853
e71216a16853
e71216a16853
e71216a16853
e71216a16853
2898ea3ff76c
2bb5e9ee49fe
e71216a16853
e71216a16853
e71216a16853
e71216a16853
e71216a16853
e71216a16853
e71216a16853
e71216a16853
e71216a16853
e71216a16853
e71216a16853
e71216a16853
e71216a16853
2cbdbf55ed99
e71216a16853
2cbdbf55ed99
bb35ad076e2f
bb35ad076e2f
bb35ad076e2f
bb35ad076e2f
bbd499c7b55e
2bb5e9ee49fe
bbd499c7b55e
e71216a16853
beb4cbf30d00
beb4cbf30d00
e71216a16853
2cbdbf55ed99
bb35ad076e2f
bb35ad076e2f
bb35ad076e2f
8b8edfc25856
bb35ad076e2f
5262c498b3a0
9fd64dd2617d
5f481e4e888b
fbbe80e3322b
a60cd29ba7e2
5f481e4e888b
5f481e4e888b
cc21a2b86a30
9472a0150bf0
5f481e4e888b
a60cd29ba7e2
a60cd29ba7e2
a60cd29ba7e2
8b8edfc25856

.. _index:

#######################
Kallithea Documentation
#######################

* :ref:`genindex`
* :ref:`search`


Readme
******

.. toctree::
   :maxdepth: 1

   readme


Administrator guide
*******************

**Installation and upgrade**

.. toctree::
   :maxdepth: 1

   overview
   installation
   installation_win
   installation_win_old
   installation_iis
   installation_puppet
   upgrade

**Setup and configuration**

.. toctree::
   :maxdepth: 1

   setup
   administrator_guide/auth
   administrator_guide/vcs_setup
   usage/email
   usage/customization

**Maintenance**

.. toctree::
   :maxdepth: 1

   usage/backup
   usage/performance
   usage/debugging
   usage/troubleshooting


User guide
**********

.. toctree::
   :maxdepth: 1

   usage/general
   usage/vcs_notes
   usage/statistics
   api/api


Developer guide
***************

.. toctree::
   :maxdepth: 1

   contributing
   dev/translation
   dev/dbmigrations


.. _virtualenv: http://pypi.python.org/pypi/virtualenv
.. _python: http://www.python.org/
.. _django: http://www.djangoproject.com/
.. _mercurial: https://www.mercurial-scm.org/
.. _bitbucket: http://bitbucket.org/
.. _subversion: http://subversion.tigris.org/
.. _git: http://git-scm.com/
.. _celery: http://celeryproject.org/
.. _Sphinx: http://sphinx.pocoo.org/
.. _vcs: http://pypi.python.org/pypi/vcs
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.