Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix security vuln - GET on /login or /change could reveal authenticat… #422

Merged
merged 1 commit into from Jan 2, 2021

Conversation

jwag956
Copy link
Member

@jwag956 jwag956 commented Jan 2, 2021

…ion token with no CSRF checks.

GETs no longer return the auth token.

closes: #421

…ion token with no CSRF checks.

GETs no longer return the auth token.

closes: #421
@jwag956 jwag956 merged commit c05afe8 into master Jan 2, 2021
2 checks passed
@jwag956 jwag956 deleted the token421 branch January 2, 2021 19:47
jwag956 added a commit that referenced this pull request Jan 5, 2021
…ion token with no CSRF checks. (#422)

GETs no longer return the auth token.

closes: #421
jwag956 added a commit that referenced this pull request Jan 8, 2021
* Fix security vuln - GET on /login or /change could reveal authentication token with no CSRF checks. (#422)

GETs no longer return the auth token.

closes: #421

* Backport CSRF /login vulnerability.

This will go out at 3.4.5

aargg - issues with black, and other packages w.r.t  py2.7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

VULN: GET /login?include_auth_token returns an auth token - without CSRF check.
1 participant