tests: check open redirection is impossible for /password/reset/ (#76835)
This commit is contained in:
parent
f9d07d749a
commit
769afa64fc
|
@ -1112,9 +1112,9 @@ class PasswordResetView(FormView):
|
|||
title = _('Password Reset')
|
||||
code = None
|
||||
|
||||
def dispatch(self, *args, **kwargs):
|
||||
def setup(self, request, *args, **kwargs):
|
||||
super().setup(request, *args, **kwargs)
|
||||
self.authenticator = utils_misc.get_password_authenticator()
|
||||
return super().dispatch(*args, **kwargs)
|
||||
|
||||
def get_success_url(self):
|
||||
if (
|
||||
|
|
|
@ -25,6 +25,7 @@ from django.urls import reverse
|
|||
from authentic2.apps.authenticators.models import LoginPasswordAuthenticator
|
||||
from authentic2.models import Attribute, SMSCode, Token
|
||||
from authentic2.utils.misc import send_password_reset_mail
|
||||
from authentic2.views import PasswordResetView
|
||||
|
||||
from . import utils
|
||||
|
||||
|
@ -493,3 +494,28 @@ def test_ou_policies(app, db, settings, user_ou1, ou1, user_ou2, ou2, mailoutbox
|
|||
|
||||
url = reverse('password_reset')
|
||||
resp = app.get(url, status=404) # globally deactivated, page not found
|
||||
|
||||
|
||||
def test_open_redirection(db, rf, app):
|
||||
BAD_URL = 'https://bad.url.com/'
|
||||
|
||||
request = rf.get(f'/password/reset/?next={BAD_URL}')
|
||||
|
||||
password_reset = PasswordResetView()
|
||||
password_reset.setup(request)
|
||||
assert password_reset.get_form_kwargs()['initial'].get('next_url') != BAD_URL
|
||||
|
||||
request = rf.post('/password/reset/', {'next_url': BAD_URL, 'email': 'john.doe@example.com'})
|
||||
password_reset = PasswordResetView()
|
||||
password_reset.setup(request)
|
||||
form = password_reset.get_form()
|
||||
assert form.is_valid()
|
||||
assert form.cleaned_data['next_url'] == BAD_URL
|
||||
|
||||
# not a problem, because... the form is protected by a CSRF token, it's
|
||||
# impossible to initialize the form from elsewhere, next_url will revert to
|
||||
# ''
|
||||
response = app.post('/password/reset/', {'next_url': BAD_URL, 'email': 'john.doe@example.com'})
|
||||
response = response.follow()
|
||||
assert response.pyquery('.messages').text() == 'The page is out of date, it was reloaded for you'
|
||||
assert response.form['next_url'].value == ''
|
||||
|
|
Loading…
Reference in New Issue