utils: make sure user_nameid/user_email cannot be forged (#17173)
This commit is contained in:
parent
12659ae52e
commit
a353802d12
|
@ -179,6 +179,8 @@ def get_templated_url(url, context=None):
|
|||
template_vars = Context()
|
||||
if context:
|
||||
template_vars.update(context)
|
||||
template_vars['user_email'] = ''
|
||||
template_vars['user_nameid'] = ''
|
||||
user = getattr(context.get('request'), 'user', None)
|
||||
if user and user.is_authenticated():
|
||||
template_vars['user_email'] = quote(user.email)
|
||||
|
|
|
@ -55,10 +55,16 @@ def test_templated_url():
|
|||
request.user = None
|
||||
for context in (None, Context({}), Context({'request': None}),
|
||||
Context({'request': request})):
|
||||
if context is None:
|
||||
with pytest.raises(UnknownTemplateVariableError) as e:
|
||||
get_templated_url('NameID=[user_nameid]', context=context)
|
||||
with pytest.raises(UnknownTemplateVariableError) as e:
|
||||
get_templated_url('email=[user_email]', context=context)
|
||||
else:
|
||||
assert get_templated_url('NameID=[user_nameid]', context=context) == 'NameID='
|
||||
assert get_templated_url('email=[user_email]', context=context) == 'email='
|
||||
with pytest.raises(UnknownTemplateVariableError) as e:
|
||||
get_templated_url('NameID=[user_nameid]', context=context)
|
||||
with pytest.raises(UnknownTemplateVariableError):
|
||||
get_templated_url('email=[user_email]', context=context)
|
||||
get_templated_url('foo=[bar]', context=context)
|
||||
if context:
|
||||
context['foobar'] = 'barfoo'
|
||||
assert get_templated_url('[foobar]', context=context) == 'barfoo'
|
||||
|
|
Loading…
Reference in New Issue