Mercurial > kallithea
view .coveragerc @ 8093:8b47181750a8 stable
login: fix incorrect CSRF rejection of "Reset Your Password" form (Issue #350)
htmlfill would remove the CSRF token from the form when substituting the query
parameters, causing password reset to break.
By default, htmlfill will clear all input fields that doesn't have a new
"default" value provided. It could be fixed by setting force_defaults to False
- see http://www.formencode.org/en/1.2-branch/modules/htmlfill.html . It could
also be fixed by providing the CSRF token in the defaults to be substituted in
the form.
Instead, refactor password_reset_confirmation to have more explicitly safe
handling of query parameters. Replace htmlfill with the usual template
variables.
The URLs are generated in kallithea/model/user.py send_reset_password_email()
and should only contain email, timestamp (integer as digit string) and a hex
token from get_reset_password_token() .
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Thu, 09 Jan 2020 12:28:33 +0100 |
parents | 4b241f198cf2 |
children | d332fca29474 |
line wrap: on
line source
[run] omit = # the bin scripts are not part of the Kallithea web app kallithea/bin/* # we ship with no active extensions kallithea/config/rcextensions/* # dbmigrate is not a part of the Kallithea web app kallithea/lib/dbmigrate/* # the tests themselves should not be part of the coverage report kallithea/tests/* # the scm hooks are not run in the kallithea process kallithea/config/post_receive_tmpl.py kallithea/config/pre_receive_tmpl.py # same omit lines should be present in sections 'run' and 'report' [report] omit = # the bin scripts are not part of the Kallithea web app kallithea/bin/* # we ship with no active extensions kallithea/config/rcextensions/* # dbmigrate is not a part of the Kallithea web app kallithea/lib/dbmigrate/* # the tests themselves should not be part of the coverage report kallithea/tests/* # the scm hooks are not run in the kallithea process kallithea/config/post_receive_tmpl.py kallithea/config/pre_receive_tmpl.py [paths] source = kallithea/ **/workspace/*/kallithea