0001-utils-make-sure-user_nameid-user_email-cannot-be-for.patch

Frédéric Péters, 26 juin 2017 10:18

Voir les différences: en ligne côte à côte

Subject: [PATCH] utils: make sure user_nameid/user_email cannot be forged
 (#17173)

 combo/utils.py      |  2 ++
 tests/test_utils.py | 12 +++++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

         if context:
             template_vars.update(context)
             user = getattr(context.get('request'), 'user', None)
             template_vars['user_email'] = ''
             template_vars['user_nameid'] = ''
             if user and user.is_authenticated():
                 template_vars['user_email'] = quote(user.email)
                 if hasattr(user, 'saml_identifiers') and user.saml_identifiers.exists():

         request.user = None
         for context in (None, Context({}), Context({'request': None}),
                         Context({'request': request})):
             if context is None:
                 with pytest.raises(UnknownTemplateVariableError) as e:
                     get_templated_url('NameID=[user_nameid]', context=context)
                 with pytest.raises(UnknownTemplateVariableError) as e:
                     get_templated_url('email=[user_email]', context=context)
             else:
                 assert get_templated_url('NameID=[user_nameid]', context=context) == 'NameID='
                 assert get_templated_url('email=[user_email]', context=context) == 'email='
             with pytest.raises(UnknownTemplateVariableError) as e:
                 get_templated_url('NameID=[user_nameid]', context=context)
             with pytest.raises(UnknownTemplateVariableError):
                 get_templated_url('email=[user_email]', context=context)
                 get_templated_url('foo=[bar]', context=context)
             if context:
                 context['foobar'] = 'barfoo'
                 assert get_templated_url('[foobar]', context=context) == 'barfoo'
+    -

Produits Entr'ouvert » Combo