skorotkiewicz/rDrama
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix: Redirect loop on formkey or nonce mismatch.

Browse source 
* fix 401-302-401-302-429 loop

* don't logout users on bad form key, just treat the request as unauthenticated

* Handle None/empty case in validate_formkey.

A supplied empty formkey, or the lack of a supplied formkey (None) is not a valid formkey. Handle this inside the function rather than at the call-site.

* Validate as false if no hashstr or string

Co-authored-by: Snakes <104547575+TLSM@users.noreply.github.com>
This commit is contained in:
justcool393 2022-12-17 09:20:27 -08:00 committed by GitHub
parent a213396854
commit 1ae3dc85c2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

15
files/helpers/wrappers.py
View file

@ -27,19 +27,22 @@ def get_logged_in_user():
id = int(lo_user)
v = g.db.query(User).get(id)
if v:
v.client = None
nonce = session.get("login_nonce", 0)
if nonce < v.login_nonce or v.id != id: abort(401)
if nonce < v.login_nonce or v.id != id:
session.pop("lo_user")
v = None
if request.method != "GET":
if v and request.method != "GET":
submitted_key = request.values.get("formkey")
if not submitted_key and request.is_json:
json = request.get_json(silent=True)
if json and type(json) is dict:
submitted_key = json.get('formkey')
if not submitted_key: abort(401)
if not v.validate_formkey(submitted_key): abort(401)
v.client = None
if not v.validate_formkey(submitted_key):
v = None
else:
session.pop("lo_user")
if request.method.lower() != "get" \
and app.config['SETTINGS']['Read-only mode'] \