Antonio Larrosa
74db06d2d0
- Update to 3.4.5
* Security Vulnerability Fix. Two CSRF vulnerabilities were
reported: qrcode and login. This release fixes the more severe
of the 2 - the /login vulnerability. The QRcode issue has a
much smaller risk profile since a) it is only for two-factor
authentication using an authenticator app b) the qrcode is only
available during the time the user is first setting up their
authentication app. The QRcode issue has been fixed in 4.0.
* Fixed
- GET on /login and /change could return the callers
authentication_token. This is a security concern since GETs
don't have CSRF protection. This bug was introduced in 3.3.0.
* Backwards Compatibility Concerns. Fix CSRF vulnerability on
/login and /change that could return the callers authentication
token. Now, callers can only get the authentication token on
successful POST calls.
- Update to 3.4.4
* Fix 3 regressions and a couple other bugs
* Fixed
- Basic Auth broken. When the unauthenticated handler was
changed to provide a more uniform/consistent response - it
broke using Basic Auth from a browser, since it always
redirected rather than returning 401. Now, if the response
headers contain WWW-Authenticate (which is set if basic
@auth_required method is used), a 401 is returned. See below
for backwards compatibility concerns.
- As part of figuring out issue 359 - a redirect loop was
found. In release 3.3.0 code was put in to redirect to
:py:data:`SECURITY_POST_LOGIN_VIEW` when GET or POST was
called and the caller was already authenticated. The method
OBS-URL: https://build.opensuse.org/request/show/900215
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:flask/python-Flask-Security-Too?expand=0&rev=12
51 lines
2.0 KiB
Diff
51 lines
2.0 KiB
Diff
From fc94ad58537d83b1f5500876da4a3026654645ba Mon Sep 17 00:00:00 2001
|
|
From: Antonio Larrosa <antonio.larrosa@gmail.com>
|
|
Date: Tue, 15 Jun 2021 19:36:50 +0200
|
|
Subject: [PATCH] Do not raise a TypeError exception if phone.data is None
|
|
|
|
Running the tests on the openSUSE build service to generate
|
|
packages fails because a TypeError exception is raised.
|
|
|
|
```
|
|
TypeError: object of type 'NoneType' has no len()
|
|
```
|
|
|
|
This commit checks that phone.data is not None before calling
|
|
len() in the two lines where the exception is raised.
|
|
---
|
|
flask_security/forms.py | 3 ++-
|
|
flask_security/views.py | 3 ++-
|
|
2 files changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/flask_security/forms.py b/flask_security/forms.py
|
|
index c793a99..83665fa 100644
|
|
--- a/flask_security/forms.py
|
|
+++ b/flask_security/forms.py
|
|
@@ -593,7 +593,8 @@ class TwoFactorSetupForm(Form, UserEmailFormMixin):
|
|
self.setup.errors = list()
|
|
self.setup.errors.append(get_message("TWO_FACTOR_METHOD_NOT_AVAILABLE")[0])
|
|
return False
|
|
- if self.setup.data == "sms" and len(self.phone.data) > 0:
|
|
+ if (self.setup.data == "sms" and
|
|
+ self.phone.data and len(self.phone.data) > 0):
|
|
# Somewhat bizarre - but this isn't required the first time around
|
|
# when they select "sms". Then they get a field to fill out with
|
|
# phone number, then Submit again.
|
|
diff --git a/flask_security/views.py b/flask_security/views.py
|
|
index c33a016..3aaca95 100644
|
|
--- a/flask_security/views.py
|
|
+++ b/flask_security/views.py
|
|
@@ -751,7 +751,8 @@ def two_factor_setup():
|
|
|
|
session["tf_primary_method"] = pm
|
|
session["tf_state"] = "validating_profile"
|
|
- new_phone = form.phone.data if len(form.phone.data) > 0 else None
|
|
+ new_phone = form.phone.data if (form.phone.data and
|
|
+ len(form.phone.data) > 0) else None
|
|
if new_phone:
|
|
user.tf_phone_number = new_phone
|
|
_datastore.put(user)
|
|
--
|
|
2.31.1
|
|
|