entrouvert
/
authentic
16
0
Fork 0
Code Issues Pull Requests 35 Releases Activity

tests: check open redirection is impossible for /password/reset/ (#76835)

This commit is contained in:
Benjamin Dauvergne 2023-04-20 16:44:42 +02:00
parent f9d07d749a
commit 769afa64fc
2 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/authentic2/views.py
View File

@ -1112,9 +1112,9 @@ class PasswordResetView(FormView):
title = _('Password Reset')
code = None
def dispatch(self, *args, **kwargs):
def setup(self, request, *args, **kwargs):
super().setup(request, *args, **kwargs)
self.authenticator = utils_misc.get_password_authenticator()
return super().dispatch(*args, **kwargs)
def get_success_url(self):
if (

26
tests/test_password_reset.py
View File

@ -25,6 +25,7 @@ from django.urls import reverse
from authentic2.apps.authenticators.models import LoginPasswordAuthenticator
from authentic2.models import Attribute, SMSCode, Token
from authentic2.utils.misc import send_password_reset_mail
from authentic2.views import PasswordResetView
from . import utils
@ -493,3 +494,28 @@ def test_ou_policies(app, db, settings, user_ou1, ou1, user_ou2, ou2, mailoutbox
url = reverse('password_reset')
resp = app.get(url, status=404) # globally deactivated, page not found
def test_open_redirection(db, rf, app):
BAD_URL = 'https://bad.url.com/'
request = rf.get(f'/password/reset/?next={BAD_URL}')
password_reset = PasswordResetView()
password_reset.setup(request)
assert password_reset.get_form_kwargs()['initial'].get('next_url') != BAD_URL
request = rf.post('/password/reset/', {'next_url': BAD_URL, 'email': 'john.doe@example.com'})
password_reset = PasswordResetView()
password_reset.setup(request)
form = password_reset.get_form()
assert form.is_valid()
assert form.cleaned_data['next_url'] == BAD_URL
# not a problem, because... the form is protected by a CSRF token, it's
# impossible to initialize the form from elsewhere, next_url will revert to
# ''
response = app.post('/password/reset/', {'next_url': BAD_URL, 'email': 'john.doe@example.com'})
response = response.follow()
assert response.pyquery('.messages').text() == 'The page is out of date, it was reloaded for you'
assert response.form['next_url'].value == ''