aljaz/CTFd
1
0
Fork 0
mirror of https://github.com/aljazceru/CTFd.git synced 2025-12-17 14:04:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Adding an error message for invalid confirm/reset links (#525)

Browse Source 
* Adding an error message for invalid confirm/reset links 
* Add tests for expired/invalid links
* Avoid non-unicode crash in base64 utilities
* Centering confirm email button
This commit is contained in:
Kevin Chung
2017-12-13 22:34:53 -05:00
committed by GitHub
parent 90b4ee03ad
commit 18d6fa26d2
5 changed files with 127 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
CTFd/auth.py
View File

@@ -11,6 +11,8 @@ from CTFd.models import db, Teams
from CTFd import utils from CTFd import utils
from CTFd.utils import ratelimit from CTFd.utils import ratelimit
import base64
auth = Blueprint('auth', __name__) auth = Blueprint('auth', __name__)
@@ -30,8 +32,8 @@ def confirm_user(data=None):
email = s.loads(utils.base64decode(data, urldecode=True), max_age=1800) email = s.loads(utils.base64decode(data, urldecode=True), max_age=1800)
except BadTimeSignature: except BadTimeSignature:
return render_template('confirm.html', errors=['Your confirmation link has expired']) return render_template('confirm.html', errors=['Your confirmation link has expired'])
except BadSignature: except (BadSignature, TypeError, base64.binascii.Error):
return render_template('confirm.html', errors=['Your confirmation link seems wrong']) return render_template('confirm.html', errors=['Your confirmation token is invalid'])
team = Teams.query.filter_by(email=email).first_or_404() team = Teams.query.filter_by(email=email).first_or_404()
team.verified = True team.verified = True
db.session.commit() db.session.commit()
@@ -80,26 +82,29 @@ def confirm_user(data=None):
@ratelimit(method="POST", limit=10, interval=60) @ratelimit(method="POST", limit=10, interval=60)
def reset_password(data=None): def reset_password(data=None):
logger = logging.getLogger('logins') logger = logging.getLogger('logins')
if data is not None and request.method == "GET":
return render_template('reset_password.html', mode='set') if data is not None:
if data is not None and request.method == "POST":
try: try:
s = TimedSerializer(app.config['SECRET_KEY']) s = TimedSerializer(app.config['SECRET_KEY'])
name = s.loads(utils.base64decode(data, urldecode=True), max_age=1800) name = s.loads(utils.base64decode(data, urldecode=True), max_age=1800)
except BadTimeSignature: except BadTimeSignature:
return render_template('reset_password.html', errors=['Your link has expired']) return render_template('reset_password.html', errors=['Your link has expired'])
except: except (BadSignature, TypeError, base64.binascii.Error):
return render_template('reset_password.html', errors=['Your link appears broken, please try again']) return render_template('reset_password.html', errors=['Your reset token is invalid'])
team = Teams.query.filter_by(name=name).first_or_404()
team.password = bcrypt_sha256.encrypt(request.form['password'].strip()) if request.method == "GET":
db.session.commit() return render_template('reset_password.html', mode='set')
logger.warn("[{date}] {ip} - successful password reset for {username}".format( if request.method == "POST":
date=time.strftime("%m/%d/%Y %X"), team = Teams.query.filter_by(name=name).first_or_404()
ip=utils.get_ip(), team.password = bcrypt_sha256.encrypt(request.form['password'].strip())
username=team.name.encode('utf-8') db.session.commit()
)) logger.warn("[{date}] {ip} - successful password reset for {username}".format(
db.session.close() date=time.strftime("%m/%d/%Y %X"),
return redirect(url_for('auth.login')) ip=utils.get_ip(),
username=team.name.encode('utf-8')
))
db.session.close()
return redirect(url_for('auth.login'))
if request.method == 'POST': if request.method == 'POST':
email = request.form['email'].strip() email = request.form['email'].strip()

2
CTFd/themes/core/templates/confirm.html
View File

@@ -46,7 +46,7 @@
Need to resend the confirmation email? Need to resend the confirmation email?
</h4> </h4>
<div class="col-md-12 text-center"> <div class="col-md-12 text-center">
<button type="submit" id="submit" tabindex="5" class="btn btn-md btn-primary btn-outlined float-right">Resend</button> <button type="submit" id="submit" tabindex="5" class="btn btn-md btn-primary btn-outlined">Resend</button>
</div> </div>
<input type="hidden" name="nonce" value="{{ nonce }}"> <input type="hidden" name="nonce" value="{{ nonce }}">
</form> </form>

10
CTFd/utils.py
View File

@@ -699,7 +699,10 @@ def base64encode(s, urlencode=False):
encoded = base64.urlsafe_b64encode(s) encoded = base64.urlsafe_b64encode(s)
if six.PY3: if six.PY3:
encoded = encoded.decode('utf-8') try:
encoded = encoded.decode('utf-8')
except UnicodeDecodeError:
pass
if urlencode: if urlencode:
encoded = quote(encoded) encoded = quote(encoded)
return encoded return encoded
@@ -717,7 +720,10 @@ def base64decode(s, urldecode=False):
decoded = base64.urlsafe_b64decode(s) decoded = base64.urlsafe_b64decode(s)
if six.PY3: if six.PY3:
decoded = decoded.decode('utf-8') try:
decoded = decoded.decode('utf-8')
except UnicodeDecodeError:
pass
return decoded return decoded

94
tests/user/test_auth.py
View File

@@ -103,3 +103,97 @@ def test_verify_and_view_unregistered():
r = client.get('/chals') r = client.get('/chals')
assert r.status_code == 200 assert r.status_code == 200
destroy_ctfd(app) destroy_ctfd(app)
@freeze_time("2019-02-24 03:21:34")
def test_expired_confirmation_links():
"""Test that expired confirmation links are reported to the user"""
app = create_ctfd()
with app.app_context():
set_config('verify_emails', True)
register_user(app, email="user@user.com")
client = login_as_user(app, name="user", password="password")
# user@user.com "2012-01-14 03:21:34"
confirm_link = 'http://localhost/confirm/InVzZXJAdXNlci5jb20iLkFmS0dQZy5kLUJnVkgwaUhadzFHaXVENHczWTJCVVJwdWc%3D'
r = client.get(confirm_link)
assert "Your confirmation link has expired" in r.get_data(as_text=True)
team = Teams.query.filter_by(email='user@user.com').first()
assert team.verified is not True
destroy_ctfd(app)
def test_invalid_confirmation_links():
"""Test that invalid confirmation links are reported to the user"""
app = create_ctfd()
with app.app_context():
set_config('verify_emails', True)
register_user(app, email="user@user.com")
client = login_as_user(app, name="user", password="password")
# user@user.com "2012-01-14 03:21:34"
confirm_link = 'http://localhost/confirm/a8375iyu<script>alert(1)<script>hn3048wueorighkgnsfg%3D%3D'
r = client.get(confirm_link)
assert "Your confirmation token is invalid" in r.get_data(as_text=True)
team = Teams.query.filter_by(email='user@user.com').first()
assert team.verified is not True
destroy_ctfd(app)
@freeze_time("2019-02-24 03:21:34")
def test_expired_reset_password_link():
"""Test that expired reset password links are reported to the user"""
app = create_ctfd()
with app.app_context():
set_config('mail_server', 'localhost')
set_config('mail_port', 25)
set_config('mail_username', 'username')
set_config('mail_password', 'password')
register_user(app, name="user1", email="user@user.com")
with app.test_client() as client:
# user@user.com "2012-01-14 03:21:34"
forgot_link = 'http://localhost/reset_password/InVzZXIxIi5BZktHUGcuTVhkTmZtOWU2U2xwSXZ1MlFwTjdwa3F5V3hR'
r = client.get(forgot_link)
assert "Your link has expired" in r.get_data(as_text=True)
destroy_ctfd(app)
def test_invalid_reset_password_link():
"""Test that invalid reset password links are reported to the user"""
app = create_ctfd()
with app.app_context():
set_config('mail_server', 'localhost')
set_config('mail_port', 25)
set_config('mail_username', 'username')
set_config('mail_password', 'password')
register_user(app, name="user1", email="user@user.com")
with app.test_client() as client:
# user@user.com "2012-01-14 03:21:34"
forgot_link = 'http://localhost/reset_password/5678ytfghjiu876tyfg<>hvbnmkoi9u87y6trdfcgvhbnm,lp09iujmk%3D'
r = client.get(forgot_link)
assert "Your reset token is invalid" in r.get_data(as_text=True)
destroy_ctfd(app)
def test_contact_for_password_reset():
"""Test that if there is no mailserver configured, users should contact admins"""
app = create_ctfd()
with app.app_context():
register_user(app, name="user1", email="user@user.com")
with app.test_client() as client:
forgot_link = 'http://localhost/reset_password'
r = client.get(forgot_link)
assert "Contact a CTF organizer" in r.get_data(as_text=True)
destroy_ctfd(app)

4
tests/user/test_user_facing.py
View File

@@ -580,7 +580,7 @@ def test_user_can_confirm_email(mock_smtp):
@patch('smtplib.SMTP') @patch('smtplib.SMTP')
@freeze_time("2012-01-14 03:21:34") @freeze_time("2012-01-14 03:21:34")
def test_user_can_reset_password(mock_smtp): def test_user_can_reset_password(mock_smtp):
'''Test that a user is capable of resetting their password''' """Test that a user is capable of resetting their password"""
from email.mime.text import MIMEText from email.mime.text import MIMEText
app = create_ctfd() app = create_ctfd()
with app.app_context(): with app.app_context():
@@ -635,7 +635,7 @@ http://localhost/reset_password/InVzZXIxIi5BZktHUGcuTVhkTmZtOWU2U2xwSXZ1MlFwTjdw
} }
# Do the password reset # Do the password reset
r = client.get('/reset_password') r = client.get('/reset_password/InVzZXIxIi5BZktHUGcuTVhkTmZtOWU2U2xwSXZ1MlFwTjdwa3F5V3hR')
r = client.post('/reset_password/InVzZXIxIi5BZktHUGcuTVhkTmZtOWU2U2xwSXZ1MlFwTjdwa3F5V3hR', data=data) r = client.post('/reset_password/InVzZXIxIi5BZktHUGcuTVhkTmZtOWU2U2xwSXZ1MlFwTjdwa3F5V3hR', data=data)
# Make sure that the user's password changed # Make sure that the user's password changed