Files
@ 8b47181750a8
Branch filter:
Location: kallithea/scripts/validate-commits - annotation
8b47181750a8
1.4 KiB
text/plain
login: fix incorrect CSRF rejection of "Reset Your Password" form (Issue #350)
htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.
By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.
Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.
The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.
By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.
Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.
The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
37ac2ac0a9ae 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 d9e37f7fd35b 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 69f70de15f26 | #!/bin/bash
# Validate the specified commits against test suite and other checks.
if [ -n "$VIRTUAL_ENV" ]; then
echo "Please run this script from outside a virtualenv."
exit 1
fi
if ! hg update --check -q .; then
echo "Working dir is not clean, please commit/revert changes first."
exit 1
fi
venv=$(mktemp -d kallithea-validatecommits-env-XXXXXX)
resultfile=$(mktemp kallithea-validatecommits-result-XXXXXX)
echo > "$resultfile"
cleanup()
{
rm -rf /tmp/kallithea-test*
rm -rf "$venv"
}
finish()
{
cleanup
# print (possibly intermediate) results
cat "$resultfile"
rm "$resultfile"
}
trap finish EXIT
for rev in $(hg log -r "$1" -T '{node}\n'); do
hg log -r "$rev"
hg update "$rev"
cleanup
virtualenv -p "$(command -v python2)" "$venv"
source "$venv/bin/activate"
pip install --upgrade pip setuptools
pip install -e . -r dev_requirements.txt python-ldap python-pam
# run-all-cleanup
scripts/run-all-cleanup
if ! hg update --check -q .; then
echo "run-all-cleanup did not give clean results!"
result="NOK"
hg diff
hg revert -a
else
result=" OK"
fi
echo "$result: $rev (run-all-cleanup)" >> "$resultfile"
# pytest
if py.test; then
result=" OK"
else
result="NOK"
fi
echo "$result: $rev (pytest)" >> "$resultfile"
deactivate
echo
done
|