From 5e338d9aba56eb4685b015392ed084fc01c80633 Mon Sep 17 00:00:00 2001 From: Ross Jones Date: Thu, 16 Aug 2012 14:19:58 +0100 Subject: [PATCH] 2866 Missing key results in strip() being called on None When no reset key is present then None is used to verify the key and it is strip()ed first, resulting in an error. --- ckan/lib/mailer.py | 2 ++ ckan/tests/functional/test_user.py | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/ckan/lib/mailer.py b/ckan/lib/mailer.py index 57b6a7e67f4..276e4f75323 100644 --- a/ckan/lib/mailer.py +++ b/ckan/lib/mailer.py @@ -95,6 +95,8 @@ def send_reset_link(user): mail_user(user, _('Reset your password'), body) def verify_reset_link(user, key): + if not key: + return False if not user.reset_key or len(user.reset_key) < 5: return False return key.strip() == user.reset_key diff --git a/ckan/tests/functional/test_user.py b/ckan/tests/functional/test_user.py index 8206d317676..ee8db1350b0 100644 --- a/ckan/tests/functional/test_user.py +++ b/ckan/tests/functional/test_user.py @@ -965,6 +965,15 @@ def test_perform_reset_user_password_link_key_incorrect(self): key='randomness') # i.e. incorrect res = self.app.get(offset, status=403) # error + def test_perform_reset_user_password_link_key_missing(self): + CreateTestData.create_user(name='jack', password='test1') + user = model.User.by_name(u'jack') + offset = url_for(controller='user', + action='perform_reset', + id=user.id) # not, no key specified + res = self.app.get(offset, status=403) # error + + def test_perform_reset_user_password_link_user_incorrect(self): # Make up a key - i.e. trying to hack this user = model.User.by_name(u'jack')