Files
@ 8b47181750a8
Branch filter:
Location: kallithea/.hgignore - annotation
8b47181750a8
1.1 KiB
text/plain
login: fix incorrect CSRF rejection of "Reset Your Password" form (Issue #350)
htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.
By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.
Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.
The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.
By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.
Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.
The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
a555d8345105 a555d8345105 a555d8345105 3dd89d30cd28 b5c57e2176dc a28bd9cb6549 a28bd9cb6549 7d6c4bd58abd 17b86a2976ca 17b86a2976ca f0013f65982d 9885bbacf99c 9885bbacf99c 564e40829f80 564e40829f80 95f1ed68cac1 a555d8345105 9496c047ea4d a555d8345105 a555d8345105 058f63b6c2ff b619d9eef67a 058f63b6c2ff 058f63b6c2ff 596eb21f61d5 27c8836e6356 19a9f02443c8 19a9f02443c8 3b54bcf6d128 7ec976c8c198 bf514091b27f 12455b1a1a6f 12455b1a1a6f 12455b1a1a6f 12455b1a1a6f 12455b1a1a6f 585dee5eb4bb cc2c473abc5f 2e7ffb755d4f 2e7ffb755d4f cc2c473abc5f 2b8f69cb7d8c 2b8f69cb7d8c 2b8f69cb7d8c 2b8f69cb7d8c 12455b1a1a6f 277684f23146 92cacbcb5272 24c0d584ba86 03bbd33bc084 324ac367a4da bd39c1f70e35 bfa66e8887d7 42163501d6b5 9358211ee144 | syntax: glob
*.pyc
*.swp
*.sqlite
*.tox
*.egg-info
*.egg
*.mo
*.orig
*.rej
*.bak
.eggs/
tarballcache/
syntax: regexp
^rcextensions
^build
^dist/
^docs/build/
^docs/_build/
^data$
^sql_dumps/
^\.settings$
^\.project$
^\.pydevproject$
^\.coverage$
^kallithea/front-end/node_modules$
^kallithea/front-end/package-lock\.json$
^kallithea/front-end/theme\.less$
^kallithea/front-end/tmp$
^kallithea/public/codemirror$
^kallithea/public/css/select2-spinner\.gif$
^kallithea/public/css/select2\.png$
^kallithea/public/css/select2x2\.png$
^kallithea/public/css/style\.css$
^kallithea/public/css/style\.css\.map$
^kallithea/public/js/bootstrap\.js$
^kallithea/public/js/dataTables\.bootstrap\.js$
^kallithea/public/js/jquery\.atwho\.min\.js$
^kallithea/public/js/jquery\.caret\.min\.js$
^kallithea/public/js/jquery\.dataTables\.js$
^kallithea/public/js/jquery\.flot\.js$
^kallithea/public/js/jquery\.flot\.selection\.js$
^kallithea/public/js/jquery\.flot\.time\.js$
^kallithea/public/js/jquery\.min\.js$
^kallithea/public/js/select2\.js$
^kallithea\.db$
^test\.db$
^Kallithea\.egg-info$
^my\.ini$
^fabfile.py
^\.idea$
^\.cache$
^\.pytest_cache$
/__pycache__$
|