Files @ 8b47181750a8
Branch filter:

Location: kallithea/conftest.py

8b47181750a8 1.2 KiB text/x-python Show Annotation Show as Raw Download as Raw
Mads Kiilerich
login: fix incorrect CSRF rejection of "Reset Your Password" form (Issue #350)

htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.

By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.

Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.

The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import os

import mock
import pytest


here = os.path.dirname(__file__)

def pytest_ignore_collect(path):
    # ignore all files outside the 'kallithea' directory
    if not str(path).startswith(os.path.join(here, 'kallithea')):
        return True

    # during doctest verification, normally all python files will be imported.
    # Thus, files that cannot be imported normally should be ignored.
    # Files that generate ImportErrors are ignored via
    # '--doctest-ignore-import-errors' (pytest.ini)
    kallithea_ignore_paths = (
        # AttributeError: 'module' object has no attribute 'config'
        '/kallithea/alembic/env.py',
        # collection of the following file messes up the rest of test execution
        '/kallithea/tests/scripts/manual_test_concurrency.py',
    )
    if str(path).endswith(kallithea_ignore_paths):
        return True

@pytest.fixture()
def doctest_mock_ugettext(request):
    """Mock ugettext ('_') in the module using this fixture.

    Intended to be used for doctests.

    In a doctest, enable this fixture using:
        >>> getfixture('doctest_mock_ugettext')
    """
    m = __import__(request.module.__name__, globals(), locals(), [None], 0)
    with mock.patch.object(m, '_', lambda s: s):
        yield
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.