skorotkiewicz/rDrama
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix: Redirect loop on formkey or nonce mismatch.

Browse source 
* fix 401-302-401-302-429 loop

* don't logout users on bad form key, just treat the request as unauthenticated

* Handle None/empty case in validate_formkey.

A supplied empty formkey, or the lack of a supplied formkey (None) is not a valid formkey. Handle this inside the function rather than at the call-site.

* Validate as false if no hashstr or string

Co-authored-by: Snakes <104547575+TLSM@users.noreply.github.com>
This commit is contained in:
justcool393 2022-12-17 09:20:27 -08:00 committed by GitHub
parent a213396854
commit 1ae3dc85c2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

2
files/classes/user.py
View file

@ -366,7 +366,7 @@ class User(Base):
return generate_hash(msg)
def validate_formkey(self, formkey):
if not formkey: return False
return validate_hash(f"{session['session_id']}+{self.id}+{self.login_nonce}", formkey)
@property