Files
@ 8b47181750a8
Branch filter:
Location: kallithea/setup.cfg - annotation
8b47181750a8
711 B
text/x-ini
login: fix incorrect CSRF rejection of "Reset Your Password" form (Issue #350)
htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.
By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.
Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.
The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.
By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.
Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.
The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
564e40829f80 1949ece749ce acaa02179aeb acaa02179aeb 564e40829f80 d88077fae3d6 d88077fae3d6 8c1258f69892 564e40829f80 7e5f8c12a3fc 7e5f8c12a3fc 564e40829f80 564e40829f80 564e40829f80 564e40829f80 7e5f8c12a3fc 10df28cbcce7 ad38f9f93b3b 564e40829f80 564e40829f80 7e5f8c12a3fc 7e5f8c12a3fc 7e5f8c12a3fc 564e40829f80 564e40829f80 7e5f8c12a3fc 7e5f8c12a3fc 7e5f8c12a3fc 564e40829f80 0a48c1ec04fc 0a48c1ec04fc 0a48c1ec04fc acaa02179aeb acaa02179aeb 0a48c1ec04fc 0a48c1ec04fc 3483de9d11e5 | [egg_info]
tag_build =
tag_svn_revision = 0
tag_date = 0
[aliases]
test = pytest
[compile_catalog]
domain = kallithea
directory = kallithea/i18n
statistics = true
[extract_messages]
add_comments = TRANSLATORS:
output_file = kallithea/i18n/kallithea.pot
msgid-bugs-address = translations@kallithea-scm.org
copyright-holder = Various authors, licensing as GPLv3
[init_catalog]
domain = kallithea
input_file = kallithea/i18n/kallithea.pot
output_dir = kallithea/i18n
[update_catalog]
domain = kallithea
input_file = kallithea/i18n/kallithea.pot
output_dir = kallithea/i18n
previous = true
[build_sphinx]
source-dir = docs/
build-dir = docs/_build
all_files = 1
[upload_sphinx]
upload-dir = docs/_build/html
|