Merge pull request #152 from pascalski/master

Adding unicode check regarding CVE-2019-19844
anexia-it · Oct 22, 2021 · 5da15aa · 5da15aa
2 parents a5262f3 + 789a542
commit 5da15aa
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/django_rest_passwordreset/views.py b/django_rest_passwordreset/views.py
@@ -1,3 +1,4 @@
+import unicodedata
 from datetime import timedelta
 
 from django.conf import settings
@@ -34,6 +35,18 @@
 HTTP_IP_ADDRESS_HEADER = getattr(settings, 'DJANGO_REST_PASSWORDRESET_IP_ADDRESS_HEADER', 'REMOTE_ADDR')
 
 
+def _unicode_ci_compare(s1, s2):
+    """
+    Perform case-insensitive comparison of two identifiers, using the
+    recommended algorithm from Unicode Technical Report 36, section
+    2.11.2(B)(2).
+    """
+    normalized1 = unicodedata.normalize('NFKC', s1)
+    normalized2 = unicodedata.normalize('NFKC', s2)
+
+    return normalized1.casefold() == normalized2.casefold()
+
+
 class ResetPasswordValidateToken(GenericAPIView):
     """
     An Api View which provides a method to verify that a token is valid
@@ -139,7 +152,8 @@ def post(self, request, *args, **kwargs):
         # last but not least: iterate over all users that are active and can change their password
         # and create a Reset Password Token and send a signal with the created token
         for user in users:
-            if user.eligible_for_reset():
+            if user.eligible_for_reset() and \
+                    _unicode_ci_compare(email, getattr(user, get_password_reset_lookup_field())):
                 # define the token as none for now
                 token = None
 

diff --git a/tests/test/test_auth_test_case.py b/tests/test/test_auth_test_case.py
@@ -20,6 +20,7 @@ def setUp(self):
         self.user2 = User.objects.create_user("user2", "user2@mail.com", "secret2")
         self.user3 = User.objects.create_user("user3@mail.com", "not-that-mail@mail.com", "secret3")
         self.user4 = User.objects.create_user("user4", "user4@mail.com")
+        self.user5 = User.objects.create_user("user5", "uѕer5@mail.com", "secret5")  # email contains kyrillic s
 
     def test_try_reset_password_email_does_not_exist(self):
         """ Tests requesting a token for an email that does not exist """
@@ -29,6 +30,13 @@ def test_try_reset_password_email_does_not_exist(self):
         # response should have "email" in it
         self.assertTrue("email" in decoded_response)
 
+    def test_unicode_email_reset(self):
+        response = self.rest_do_request_reset_token(email="uѕer5@mail.com")
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+
+        decoded_response = json.loads(response.content.decode())
+        self.assertEqual(decoded_response.get("email")[0], 'Enter a valid email address.')
+
     @patch('django_rest_passwordreset.signals.reset_password_token_created.send')
     def test_validate_token(self, mock_reset_password_token_created):
         """ Tests validate token """