almet/ihatemoney
1
0
Fork 0
mirror of https://github.com/spiral-project/ihatemoney.git synced 2025-05-05 20:51:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixed exposed password in session

Browse source 
The project password was set in clear text
in the session cookie. The cookie payload is
only base64 encoded so it must not be used to
store private information. The password is
simply replaced by a boolean.
This commit is contained in:
0livd 2017-09-06 18:49:15 +02:00
parent 6ccf86919e
commit 3a4a1b7357
2 changed files with 8 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
ihatemoney/tests/tests.py
View file

@ -181,7 +181,7 @@ class BudgetTestCase(IhatemoneyTestCase):
}) })
# session is updated # session is updated
self.assertEqual(session['raclette'], 'party') self.assertTrue(session['raclette'])
# project is created # project is created
self.assertEqual(len(models.Project.query.all()), 1) self.assertEqual(len(models.Project.query.all()), 1)
@ -373,7 +373,7 @@ class BudgetTestCase(IhatemoneyTestCase):
self.assertNotIn("Authentication", resp.data.decode('utf-8')) self.assertNotIn("Authentication", resp.data.decode('utf-8'))
self.assertIn('raclette', session) self.assertIn('raclette', session)
self.assertEqual(session['raclette'], 'raclette') self.assertTrue(session['raclette'])
# logout should wipe the session out # logout should wipe the session out
c.get("/exit") c.get("/exit")

12
ihatemoney/web.py
View file

@ -105,7 +105,7 @@ def pull_project(endpoint, values):
project_id=project_id)) project_id=project_id))
is_admin = session.get('is_admin') is_admin = session.get('is_admin')
if (project.id in session and session[project.id] == project.password) or is_admin: if session.get(project.id) or is_admin:
# add project into kwargs and call the original function # add project into kwargs and call the original function
g.project = project g.project = project
else: else:
@ -173,7 +173,7 @@ def authenticate(project_id=None):
else: else:
# if credentials are already in session, redirect # if credentials are already in session, redirect
if project_id in session and project.password == session[project_id]: if session.get(project_id):
setattr(g, 'project', project) setattr(g, 'project', project)
return redirect(url_for(".list_bills")) return redirect(url_for(".list_bills"))
@ -189,7 +189,7 @@ def authenticate(project_id=None):
session["projects"] = [] session["projects"] = []
# add the project on the top of the list # add the project on the top of the list
session["projects"].insert(0, (project_id, project.name)) session["projects"].insert(0, (project_id, project.name))
session[project_id] = form.password.data session[project_id] = True
session.update() session.update()
setattr(g, 'project', project) setattr(g, 'project', project)
return redirect(url_for(".list_bills")) return redirect(url_for(".list_bills"))
@ -233,7 +233,7 @@ def create_project():
db.session.commit() db.session.commit()
# create the session object (authenticate) # create the session object (authenticate)
session[project.id] = project.password session[project.id] = True
session.update() session.update()
# send reminder email # send reminder email
@ -290,8 +290,8 @@ def edit_project():
if request.method == "POST": if request.method == "POST":
if edit_form.validate(): if edit_form.validate():
project = edit_form.update(g.project) project = edit_form.update(g.project)
db.session.add(project)
db.session.commit() db.session.commit()
session[project.id] = project.password
return redirect(url_for(".list_bills")) return redirect(url_for(".list_bills"))
@ -359,7 +359,7 @@ def demo():
contact_email="demo@notmyidea.org") contact_email="demo@notmyidea.org")
db.session.add(project) db.session.add(project)
db.session.commit() db.session.commit()
session[project.id] = project.password session[project.id] = True
return redirect(url_for(".list_bills", project_id=project.id)) return redirect(url_for(".list_bills", project_id=project.id))