utils: make sure user_nameid/user_email cannot be forged (#17173)

2017-06-24 11:18:00 +02:00 · 2017-06-24 11:18:00 +02:00 · a353802d12
parent 12659ae52e
commit a353802d12
2 changed files with 11 additions and 3 deletions
--- a/combo/utils.py
+++ b/combo/utils.py
@ -179,6 +179,8 @@ def get_templated_url(url, context=None):
    template_vars = Context()
    if context:
        template_vars.update(context)
+        template_vars['user_email'] = ''
+        template_vars['user_nameid'] = ''
        user = getattr(context.get('request'), 'user', None)
        if user and user.is_authenticated():
            template_vars['user_email'] = quote(user.email)
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@ -55,10 +55,16 @@ def test_templated_url():
    request.user = None
    for context in (None, Context({}), Context({'request': None}),
                    Context({'request': request})):
+        if context is None:
+            with pytest.raises(UnknownTemplateVariableError) as e:
+                get_templated_url('NameID=[user_nameid]', context=context)
+            with pytest.raises(UnknownTemplateVariableError) as e:
+                get_templated_url('email=[user_email]', context=context)
+        else:
+            assert get_templated_url('NameID=[user_nameid]', context=context) == 'NameID='
+            assert get_templated_url('email=[user_email]', context=context) == 'email='
        with pytest.raises(UnknownTemplateVariableError) as e:
-            get_templated_url('NameID=[user_nameid]', context=context)
-        with pytest.raises(UnknownTemplateVariableError):
-            get_templated_url('email=[user_email]', context=context)
+            get_templated_url('foo=[bar]', context=context)
        if context:
            context['foobar'] = 'barfoo'
            assert get_templated_url('[foobar]', context=context) == 'barfoo'