Fixed security issue with password update.

modoboa · Apr 14, 2023 · 130257c · 130257c
1 parent 288f62a
commit 130257c
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/modoboa/core/forms.py b/modoboa/core/forms.py
@@ -92,6 +92,11 @@ def clean(self):
                         confirmation, self.instance)
             else:
                 self.add_error("oldpassword", _("This field is required."))
+        elif newpassword or confirmation:
+            if not confirmation:
+                self.add_error("confirmation", _("This field is required."))
+            else:
+                self.add_error("newpassword", _("This field is required."))
         return self.cleaned_data
 
     def save(self, commit=True):

diff --git a/modoboa/core/tests/test_core.py b/modoboa/core/tests/test_core.py
@@ -146,6 +146,13 @@ def test_update_password(self):
             self.client.login(username="user@test.com", password="toto"), True
         )
 
+        self.ajax_post(
+            reverse("core:user_profile"),
+            {"oldpassword": "toto",
+             "confirmation": "tutu"},
+            status=400
+        )
+
         self.ajax_post(
             reverse("core:user_profile"),
             {"oldpassword": "toto",