Sanitizing token. #143
Sanitizing token. #143
Conversation
| @@ -62,7 +62,7 @@ def login_get(): | |||
| if not subid: | |||
| token = request.args.get("token") | |||
| if token: | |||
|
|
|||
| token = form.token.data.encode('ascii', errors = 'ignore').decode().strip() | |||
There was a problem hiding this comment.
This isn't technically correct - note that above we are getting the token from request.args, and then below you are again getting it (but this time from form data). I think you would just want to apply that encode to the token you've already gotten. Also look below here to see there are two cases where we retrieve the token, one from the request and one from form data, and you should test if you need to encode both.
There was a problem hiding this comment.
How about putting the line inside the function validate_token()?
There was a problem hiding this comment.
There are actual multiple instances of that function, I think 3 or 4 places to add it, vs. adding to the original grab of the token (N=2). So I'm thinking we want it after retrieving the argument.
There was a problem hiding this comment.
You need to keep the same methods to retrieve the token (request.args.get) and then in the "if token" statement further do token = token.encode...
|
@AlvaroAguilera I had requested some changes here - any updates? |
|
I'm in debt, I know. Hope to find time for this soon. |
Description of the Pull Request (PR):
Small token sanitation line to fix the issue with participants copying tokens with added zero-width spaces.
This fixes or addresses the following GitHub issues:
Checkoff for all PRs:
Attn: @AlvaroAguilera