-
Notifications
You must be signed in to change notification settings - Fork 348
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: Only send password reset email to known, active addresses (#5061)
* fix: Only send password reset email to known, active addresses Limits password reset to Users with a Person and at least one active address on file. Avoids the possibility of sending a password reset to a spoofed address as in CVE-2019-19844. * test: Use factory instead of explicit construction * test: Test that a User with no Person cannot reset password * fix: Fix handling of User.person field when it's null * test: Test that reset emails are sent to known, active addresses
- Loading branch information
1 parent
afac1f8
commit 98d7b15
Showing
3 changed files
with
78 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -414,12 +414,10 @@ def test_reset_password(self): | |
email = '[email protected]' | ||
password = 'foobar' | ||
|
||
user = User.objects.create(username=email, email=email) | ||
user = PersonFactory(user__email=email).user | ||
user.set_password(password) | ||
user.save() | ||
p = Person.objects.create(name="Some One", ascii="Some One", user=user) | ||
Email.objects.create(address=user.username, person=p, origin=user.username) | ||
|
||
|
||
# get | ||
r = self.client.get(url) | ||
self.assertEqual(r.status_code, 200) | ||
|
@@ -497,6 +495,39 @@ def test_reset_password(self): | |
r = self.client.get(confirm_url) | ||
self.assertEqual(r.status_code, 404) | ||
|
||
def test_reset_password_without_person(self): | ||
"""No password reset for account without a person""" | ||
url = urlreverse('ietf.ietfauth.views.password_reset') | ||
user = UserFactory() | ||
user.set_password('some password') | ||
user.save() | ||
empty_outbox() | ||
r = self.client.post(url, { 'username': user.username}) | ||
self.assertContains(r, 'No known active email addresses', status_code=200) | ||
q = PyQuery(r.content) | ||
self.assertTrue(len(q("form .is-invalid")) > 0) | ||
self.assertEqual(len(outbox), 0) | ||
|
||
def test_reset_password_address_handling(self): | ||
"""Reset password links are only sent to known, active addresses""" | ||
url = urlreverse('ietf.ietfauth.views.password_reset') | ||
person = PersonFactory() | ||
person.email_set.update(active=False) | ||
empty_outbox() | ||
r = self.client.post(url, { 'username': person.user.username}) | ||
self.assertContains(r, 'No known active email addresses', status_code=200) | ||
q = PyQuery(r.content) | ||
self.assertTrue(len(q("form .is-invalid")) > 0) | ||
self.assertEqual(len(outbox), 0) | ||
|
||
active_address = EmailFactory(person=person).address | ||
r = self.client.post(url, {'username': person.user.username}) | ||
self.assertNotContains(r, 'No known active email addresses', status_code=200) | ||
self.assertEqual(len(outbox), 1) | ||
to = outbox[0].get('To') | ||
self.assertIn(active_address, to) | ||
self.assertNotIn(person.user.username, to) | ||
|
||
def test_review_overview(self): | ||
review_req = ReviewRequestFactory() | ||
assignment = ReviewAssignmentFactory(review_request=review_req,reviewer=EmailFactory(person__user__username='reviewer')) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters