Mercurial > kallithea
annotate MIT-Permissive-License.txt @ 8093:8b47181750a8 stable
login: fix incorrect CSRF rejection of "Reset Your Password" form (Issue #350)
htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.
By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.
Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.
The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
| author | Mads Kiilerich <mads@kiilerich.com> |
|---|---|
| date | Thu, 09 Jan 2020 12:28:33 +0100 |
| parents | 08baa849c8a8 |
| children |
| rev | line source |
|---|---|
|
4119
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
1 Permission is hereby granted, free of charge, to any person obtaining a copy |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
2 of this software and associated documentation files (the "Software"), to deal |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
3 in the Software without restriction, including without limitation the rights |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
4 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
5 copies of the Software, and to permit persons to whom the Software is |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
6 furnished to do so, subject to the following conditions: |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
7 |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
8 The above copyright notice and this permission notice shall be included in |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
9 all copies or substantial portions of the Software. |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
10 |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
11 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
12 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
13 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
14 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
15 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
16 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
|
08baa849c8a8
Add MIT-Permissive-License.txt
Bradley M. Kuhn <bkuhn@sfconservancy.org>
parents:
diff
changeset
|
17 SOFTWARE. |