From fcf65a3e6d1edfb0ea8ccf771dcb16cd1aebd185 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= Date: Sat, 24 Jun 2017 11:18:00 +0200 Subject: [PATCH] utils: make sure user_nameid/user_email cannot be forged (#17173) --- combo/utils.py | 2 ++ tests/test_utils.py | 12 +++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/combo/utils.py b/combo/utils.py index 6524550..a633660 100644 --- a/combo/utils.py +++ b/combo/utils.py @@ -180,6 +180,8 @@ def get_templated_url(url, context=None): if context: template_vars.update(context) user = getattr(context.get('request'), 'user', None) + template_vars['user_email'] = '' + template_vars['user_nameid'] = '' if user and user.is_authenticated(): template_vars['user_email'] = quote(user.email) if hasattr(user, 'saml_identifiers') and user.saml_identifiers.exists(): diff --git a/tests/test_utils.py b/tests/test_utils.py index dd3b1a5..376b335 100644 --- a/tests/test_utils.py +++ b/tests/test_utils.py @@ -55,10 +55,16 @@ def test_templated_url(): request.user = None for context in (None, Context({}), Context({'request': None}), Context({'request': request})): + if context is None: + with pytest.raises(UnknownTemplateVariableError) as e: + get_templated_url('NameID=[user_nameid]', context=context) + with pytest.raises(UnknownTemplateVariableError) as e: + get_templated_url('email=[user_email]', context=context) + else: + assert get_templated_url('NameID=[user_nameid]', context=context) == 'NameID=' + assert get_templated_url('email=[user_email]', context=context) == 'email=' with pytest.raises(UnknownTemplateVariableError) as e: - get_templated_url('NameID=[user_nameid]', context=context) - with pytest.raises(UnknownTemplateVariableError): - get_templated_url('email=[user_email]', context=context) + get_templated_url('foo=[bar]', context=context) if context: context['foobar'] = 'barfoo' assert get_templated_url('[foobar]', context=context) == 'barfoo' -- 2.13.1