Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed potentional security issue with leaked password tokens #1757

Merged
merged 5 commits into from
Jul 26, 2017
Merged

Fixed potentional security issue with leaked password tokens #1757

merged 5 commits into from
Jul 26, 2017

Conversation

joshblum
Copy link
Contributor

Django 1.11+ prevents password tokens from being leaked through the
HTTP Referer header if a template calls out to third-party resources
(i.e., JS or CSS) by setting token in session and redirecting.

Fixes #1755

lorddaedra
lorddaedra suggested changes Jun 10, 2017
View reviewed changes
.travis.yml Outdated
@@ -11,7 +11,7 @@ env:
- DJANGO="Django<1.9"
- DJANGO="Django<1.10"
- DJANGO="Django<1.11"
- DJANGO="Django==1.11b1"
- DJANGO="Django>=1.11"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

<2.0 is better here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

setup.py Outdated
@@ -149,6 +149,9 @@ def find_package_data(where=".", package="", exclude=standard_exclude,
'Programming Language :: Python :: 3.4',
'Programming Language :: Python :: 3.5',
'Framework :: Django',
'Framework :: Django :: 1.9',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1.9 is not supported, better do not include it, instead you can add 1.8, which is supported

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my mistake, done!

.travis.yml Outdated
@@ -31,7 +31,7 @@ matrix:
- python: "3.3"
env: DJANGO="Django<1.11"
- python: "3.3"
env: DJANGO="Django==1.11b1"
env: DJANGO="Django>=1.11"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

<2.0 is better here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

tox.ini Outdated
@@ -8,7 +8,7 @@ deps =
django18: Django < 1.9
django19: Django < 1.10
django110: Django < 1.11
django111: Django==1.11b1
django111: Django >= 1.11
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

<2.0 is better here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@joshblum
Copy link
Contributor Author

@lorddaedra I'm getting the following error when testing:

isort $(find /home/travis/build/pennersr/django-allauth/allauth -not -path '*/migrations/*' -type f -name '*.py' -not -name '__init__.py' -print) -c
ERROR: /home/travis/build/pennersr/django-allauth/allauth/account/views.py Imports are incorrectly sorted.
ERROR: /home/travis/build/pennersr/django-allauth/allauth/socialaccount/providers/dwolla/urls.py Imports are incorrectly sorted.
ERROR: /home/travis/build/pennersr/django-allauth/allauth/socialaccount/providers/dwolla/views.py Imports are incorrectly sorted.

I didn't edit any import statements, do you have any suggestions for getting tests to pass?

@pennersr
Copy link
Owner

Please rebase your changes on latest master, then the problem will be gone (git diff master..fix-referrer -- this will show that lots of stuff has changed between master and your branch)

joshblum added 3 commits July 26, 2017 15:20
@joshblum
Fixed potentional security issue with leaked password tokens
18cf30d 
Django 1.11+ prevents password tokens from being leaked through the
HTTP Referer header if a template calls out to third-party resources
(i.e., JS or CSS) by setting token in session and redirecting.
@joshblum
Fix tests
38e87ea
@joshblum
Fix redirect bug in test
1ef8237
@joshblum
Copy link
Contributor Author

@pennersr Updated, let me know if I should make any other changes!

@coveralls
Copy link

coveralls commented Jul 26, 2017
edited
Loading

Coverage Status

Coverage increased (+0.008%) to 94.193% when pulling 1ef8237 on joshblum:fix-referrer into 1e526ed on pennersr:master.

@coveralls
Copy link

coveralls commented Jul 26, 2017
edited
Loading

Coverage Status

Coverage increased (+0.008%) to 94.193% when pulling 872811e on joshblum:fix-referrer into 1e526ed on pennersr:master.

2 similar comments
@coveralls
Copy link

Coverage Status

Coverage increased (+0.008%) to 94.193% when pulling 872811e on joshblum:fix-referrer into 1e526ed on pennersr:master.

@coveralls
Copy link

Coverage Status

Coverage increased (+0.008%) to 94.193% when pulling 872811e on joshblum:fix-referrer into 1e526ed on pennersr:master.

@joshblum
Copy link
Contributor Author

@pennersr builds still seem to be failing due to an import sort error. Any insights? I'm not sure what to fix since this PR didn't change any imports.

ERROR: /home/travis/build/pennersr/django-allauth/allauth/account/views.py Imports are incorrectly sorted.

@pennersr
Copy link
Owner

The flake8 build output is a bit misleading.. it is actually this line that is the problem:

ERROR: /Users/pennersr/src/django-allauth/allauth/account/views.py Imports are incorrectly sorted.

So, you need two empty lines before INTERNAL_RESET_URL_KEY = "set-password"

@joshblum
Copy link
Contributor Author

Thanks!!

@coveralls
Copy link

coveralls commented Jul 26, 2017
edited
Loading

Coverage Status

Coverage increased (+0.008%) to 94.193% when pulling eb15d1d on joshblum:fix-referrer into 1e526ed on pennersr:master.

@pennersr
Copy link
Owner

Thanks in return!

@pennersr pennersr merged commit 7c2b13c into pennersr:master Jul 26, 2017
@joshblum joshblum deleted the fix-referrer branch July 26, 2017 20:27
@richtier richtier mentioned this pull request Aug 30, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lorddaedra lorddaedra lorddaedra requested changes

Assignees
No one assigned
Labels
Needs improvement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@joshblum @pennersr @coveralls @lorddaedra