kopia lustrzana https://github.com/dgtlmoon/changedetection.io
Security update - Password could be unset from settings form unexpectedly (#808)
dgtlmoon
GitHub
rodzic
e318253f31
commit
6f072b42e8
|
|
@ -703,7 +703,14 @@ def changedetection_app(config=None, datastore_o=None):
|
||||||
return redirect(url_for('settings_page'))
|
return redirect(url_for('settings_page'))
|
||||||
|
|
||||||
if form.validate():
|
if form.validate():
|
||||||
datastore.data['settings']['application'].update(form.data['application'])
|
# Don't set password to False when a password is set - should be only removed with the `removepassword` button
|
||||||
|
app_update = dict(deepcopy(form.data['application']))
|
||||||
|
|
||||||
|
# Never update password with '' or False (Added by wtforms when not in submission)
|
||||||
|
if 'password' in app_update and not app_update['password']:
|
||||||
|
del (app_update['password'])
|
||||||
|
|
||||||
|
datastore.data['settings']['application'].update(app_update)
|
||||||
datastore.data['settings']['requests'].update(form.data['requests'])
|
datastore.data['settings']['requests'].update(form.data['requests'])
|
||||||
|
|
||||||
if not os.getenv("SALTED_PASS", False) and len(form.application.form.password.encrypted_password):
|
if not os.getenv("SALTED_PASS", False) and len(form.application.form.password.encrypted_password):
|
||||||
|
|
|
||||||
|
|
@ -19,7 +19,6 @@ def test_check_access_control(app, client):
|
||||||
)
|
)
|
||||||
|
|
||||||
assert b"Password protection enabled." in res.data
|
assert b"Password protection enabled." in res.data
|
||||||
assert b"LOG OUT" not in res.data
|
|
||||||
|
|
||||||
# Check we hit the login
|
# Check we hit the login
|
||||||
res = c.get(url_for("index"), follow_redirects=True)
|
res = c.get(url_for("index"), follow_redirects=True)
|
||||||
|
|
@ -38,7 +37,42 @@ def test_check_access_control(app, client):
|
||||||
follow_redirects=True
|
follow_redirects=True
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# Yes we are correctly logged in
|
||||||
assert b"LOG OUT" in res.data
|
assert b"LOG OUT" in res.data
|
||||||
|
|
||||||
|
# 598 - Password should be set and not accidently removed
|
||||||
|
res = c.post(
|
||||||
|
url_for("settings_page"),
|
||||||
|
data={
|
||||||
|
"requests-time_between_check-minutes": 180,
|
||||||
|
'application-fetch_backend': "html_requests"},
|
||||||
|
follow_redirects=True
|
||||||
|
)
|
||||||
|
|
||||||
|
res = c.get(url_for("logout"),
|
||||||
|
follow_redirects=True)
|
||||||
|
|
||||||
|
res = c.get(url_for("settings_page"),
|
||||||
|
follow_redirects=True)
|
||||||
|
|
||||||
|
|
||||||
|
assert b"Login" in res.data
|
||||||
|
|
||||||
|
res = c.get(url_for("login"))
|
||||||
|
assert b"Login" in res.data
|
||||||
|
|
||||||
|
|
||||||
|
res = c.post(
|
||||||
|
url_for("login"),
|
||||||
|
data={"password": "foobar"},
|
||||||
|
follow_redirects=True
|
||||||
|
)
|
||||||
|
|
||||||
|
# Yes we are correctly logged in
|
||||||
|
assert b"LOG OUT" in res.data
|
||||||
|
return
|
||||||
|
|
||||||
|
|
||||||
res = c.get(url_for("settings_page"))
|
res = c.get(url_for("settings_page"))
|
||||||
|
|
||||||
# Menu should be available now
|
# Menu should be available now
|
||||||
|
|
|
||||||
Ładowanie…
Reference in New Issue