utils: forbid argument after signature (#35050)
This commit is contained in:
parent
68b376d3f3
commit
e473667be1
|
@ -76,12 +76,14 @@ def check_query(query, keys, known_nonce=None, timedelta=30):
|
|||
if not ('signature' in parsed and 'algo' in parsed and
|
||||
'timestamp' in parsed and 'nonce' in parsed):
|
||||
return False
|
||||
unsigned_query, end_of_query = query.split('&signature=', 1)
|
||||
if '&' in end_of_query: # nothing after signature
|
||||
return False
|
||||
signature = base64.b64decode(parsed['signature'][0])
|
||||
algo = parsed['algo'][0]
|
||||
timestamp = parsed['timestamp'][0]
|
||||
timestamp = datetime.datetime.strptime(timestamp, '%Y-%m-%dT%H:%M:%SZ')
|
||||
nonce = parsed['nonce']
|
||||
unsigned_query = query.split('&signature=')[0]
|
||||
if known_nonce is not None and known_nonce(nonce):
|
||||
return False
|
||||
if abs(datetime.datetime.utcnow() - timestamp) > datetime.timedelta(seconds=timedelta):
|
||||
|
|
|
@ -219,6 +219,8 @@ def test_add_amount_to_basket(app, key, regie, user):
|
|||
assert BasketItem.objects.filter(amount=amount).exists()
|
||||
assert BasketItem.objects.filter(amount=amount)[0].regie_id == regie.id
|
||||
|
||||
resp = app.post_json('%s&amount=10' % url, params=data, status=403) # bad signature
|
||||
|
||||
data['extra'] = {'amount': '22.22'}
|
||||
url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
|
||||
url = sign_url(url, key)
|
||||
|
@ -229,9 +231,9 @@ def test_add_amount_to_basket(app, key, regie, user):
|
|||
|
||||
data['amount'] = [amount]
|
||||
data['extra'] = {'amount': ['22.22', '12']}
|
||||
url = '%s?email=%s&orig=wcs' % (reverse('api-add-basket-item'), user_email)
|
||||
url = '%s?email=%s&orig=wcs&amount=5' % (reverse('api-add-basket-item'), user_email)
|
||||
url = sign_url(url, key)
|
||||
resp = app.post_json('%s&amount=5' % url, params=data)
|
||||
resp = app.post_json(url, params=data)
|
||||
assert resp.status_code == 200
|
||||
assert json.loads(resp.content)['result'] == 'success'
|
||||
assert BasketItem.objects.filter(amount=Decimal('81.22')).exists()
|
||||
|
|
Loading…
Reference in New Issue