Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent leaking password reset token through Referrer header #268

Merged
merged 6 commits into from
Jun 27, 2017
Merged

Prevent leaking password reset token through Referrer header #268

merged 6 commits into from
Jun 27, 2017

Conversation

joshblum
Copy link
Collaborator

@joshblum joshblum commented Jun 7, 2017
edited
Loading

Addresses #266, preventing the leaking of password reset token through the Referrer header.

For Django 1.11+, we fix by using the newer class based views.

For versions of Django below 1.11 we add a meta block to the template add at the meta tag <meta name="referrer" content="never">. In addition, we add rel="noreferrer" to the password reset email.

@joshblum joshblum requested a review from dicato June 7, 2017 21:57
This was referenced Jun 7, 2017
Closed
Closed
Closed
Closed
Open
Open
@coveralls
Copy link

coveralls commented Jun 7, 2017
edited
Loading

Coverage Status

Coverage increased (+0.04%) to 97.328% when pulling a15f663 on referrer-fixes into 9de44cf on master.

@joshblum
Copy link
Collaborator Author

joshblum commented Jun 7, 2017

@macropin @dicato I tried to go through a list of similar apps that might have issues to alert them: https://djangopackages.org/grids/g/registration/
If either of you know of any other packages that may be affected, let me know and i'll be happy to open something up :)

@coveralls
Copy link

coveralls commented Jun 7, 2017
edited
Loading

Coverage Status

Coverage increased (+0.04%) to 97.328% when pulling a15f663 on referrer-fixes into 9de44cf on master.

@coveralls
Copy link

coveralls commented Jun 7, 2017
edited
Loading

Coverage Status

Coverage increased (+0.04%) to 97.328% when pulling a15f663 on referrer-fixes into 9de44cf on master.

joshblum
joshblum commented Jun 8, 2017
View reviewed changes
registration/auth_urls.py Outdated
@@ -27,35 +27,54 @@
from django.core.urlresolvers import reverse_lazy
from django.contrib.auth import views as auth_views

# Attempt to use the auth class based views if available.
try:
login_view = auth_views.LoginView.as_view()
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need to pass kwargs to as_view to override defaults

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@coveralls
Copy link

coveralls commented Jun 9, 2017
edited
Loading

Coverage Status

Coverage increased (+0.007%) to 97.293% when pulling 51bcd1c on referrer-fixes into 9de44cf on master.

@coveralls
Copy link

coveralls commented Jun 9, 2017
edited
Loading

Coverage Status

Coverage increased (+0.007%) to 97.293% when pulling 51bcd1c on referrer-fixes into 9de44cf on master.

@dicato
Copy link
Collaborator

dicato commented Jun 26, 2017

@joshblum sorry for the delay. Looks good to me!

Do you want to fix the use of "referrer" to "referer"? Probably good to be consistent with the original misspelling.

@joshblum
Copy link
Collaborator Author

@dicato great! fixed the misspellings and will merge/pypy bump after tests :)

@coveralls
Copy link

coveralls commented Jun 26, 2017
edited
Loading

Coverage Status

Coverage increased (+0.007%) to 97.293% when pulling 9ab2d56 on referrer-fixes into 9de44cf on master.

3 similar comments
@coveralls
Copy link

Coverage Status

Coverage increased (+0.007%) to 97.293% when pulling 9ab2d56 on referrer-fixes into 9de44cf on master.

@coveralls
Copy link

Coverage Status

Coverage increased (+0.007%) to 97.293% when pulling 9ab2d56 on referrer-fixes into 9de44cf on master.

@coveralls
Copy link

Coverage Status

Coverage increased (+0.007%) to 97.293% when pulling 9ab2d56 on referrer-fixes into 9de44cf on master.

@coveralls
Copy link

coveralls commented Jun 26, 2017
edited
Loading

Coverage Status

Coverage increased (+0.007%) to 97.293% when pulling 9ab2d56 on referrer-fixes into 9de44cf on master.

@coveralls
Copy link

coveralls commented Jun 26, 2017
edited
Loading

Coverage Status

Coverage increased (+0.007%) to 97.293% when pulling 9ab2d56 on referrer-fixes into 9de44cf on master.

@coveralls
Copy link

coveralls commented Jun 26, 2017
edited
Loading

Coverage Status

Coverage increased (+0.007%) to 97.293% when pulling 9ab2d56 on referrer-fixes into 9de44cf on master.

@joshblum joshblum merged commit 3a2e018 into master Jun 27, 2017
@joshblum joshblum deleted the referrer-fixes branch June 27, 2017 13:49
@joshblum joshblum mentioned this pull request Jun 27, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dicato dicato Awaiting requested review from dicato

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@joshblum @coveralls @dicato