Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitizing token. #143

Closed
wants to merge 1 commit into from
Closed

Sanitizing token. #143

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion expfactory/views/headless.py
View file
Open in desktop
Expand Up @@ -62,7 +62,7 @@ def login_get():
if not subid:
token = request.args.get("token")
if token:

token = form.token.data.encode('ascii', errors = 'ignore').decode().strip()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't technically correct - note that above we are getting the token from request.args, and then below you are again getting it (but this time from form data). I think you would just want to apply that encode to the token you've already gotten. Also look below here to see there are two cases where we retrieve the token, one from the request and one from form data, and you should test if you need to encode both.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about putting the line inside the function validate_token()?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are actual multiple instances of that function, I think 3 or 4 places to add it, vs. adding to the original grab of the token (N=2). So I'm thinking we want it after retrieving the argument.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to keep the same methods to retrieve the token (request.args.get) and then in the "if token" statement further do token = token.encode...

subid = app.validate_token(token)
if subid is None:
return headless_denied(form=EntryForm())
Expand Down