Skip to content
Permalink
Browse files

[1.11.x] Fixed CVE-2019-19844 -- Used verified user email for passwor…

…d reset requests.

Backport of 5b1fbce from master.

Co-Authored-By: Florian Apolloner <florian@apolloner.eu>
  • Loading branch information
2 people authored and felixxm committed Dec 17, 2019
1 parent a235574 commit f4cff43bf921fcea6a29b726eb66767f67753fa2
Showing with 86 additions and 6 deletions.
  1. +26 −4 django/contrib/auth/forms.py
  2. +18 −2 docs/releases/1.11.27.txt
  3. +42 −0 tests/auth_tests/test_forms.py
@@ -16,12 +16,27 @@
from django.template import loader
from django.utils.encoding import force_bytes
from django.utils.http import urlsafe_base64_encode
from django.utils.six import PY3
from django.utils.text import capfirst
from django.utils.translation import ugettext, ugettext_lazy as _

UserModel = get_user_model()


def _unicode_ci_compare(s1, s2):
"""
Perform case-insensitive comparison of two identifiers, using the
recommended algorithm from Unicode Technical Report 36, section
2.11.2(B)(2).
"""
normalized1 = unicodedata.normalize('NFKC', s1)
normalized2 = unicodedata.normalize('NFKC', s2)
if PY3:
return normalized1.casefold() == normalized2.casefold()
# lower() is the best alternative available on Python 2.
return normalized1.lower() == normalized2.lower()


class ReadOnlyPasswordHashWidget(forms.Widget):
template_name = 'auth/widgets/read_only_password_hash.html'

@@ -249,11 +264,16 @@ def get_users(self, email):
that prevent inactive users and users with unusable passwords from
resetting their password.
"""
email_field_name = UserModel.get_email_field_name()
active_users = UserModel._default_manager.filter(**{
'%s__iexact' % UserModel.get_email_field_name(): email,
'%s__iexact' % email_field_name: email,
'is_active': True,
})
return (u for u in active_users if u.has_usable_password())
return (
u for u in active_users
if u.has_usable_password() and
_unicode_ci_compare(email, getattr(u, email_field_name))
)

def save(self, domain_override=None,
subject_template_name='registration/password_reset_subject.txt',
@@ -266,15 +286,17 @@ def save(self, domain_override=None,
user.
"""
email = self.cleaned_data["email"]
email_field_name = UserModel.get_email_field_name()
for user in self.get_users(email):
if not domain_override:
current_site = get_current_site(request)
site_name = current_site.name
domain = current_site.domain
else:
site_name = domain = domain_override
user_email = getattr(user, email_field_name)
context = {
'email': email,
'email': user_email,
'domain': domain,
'site_name': site_name,
'uid': urlsafe_base64_encode(force_bytes(user.pk)),
@@ -286,7 +308,7 @@ def save(self, domain_override=None,
context.update(extra_email_context)
self.send_mail(
subject_template_name, email_template_name, context, from_email,
email, html_email_template_name=html_email_template_name,
user_email, html_email_template_name=html_email_template_name,
)


@@ -2,9 +2,25 @@
Django 1.11.27 release notes
============================

*Expected January 2, 2020*
*December 18, 2019*

Django 1.11.27 fixes a data loss bug in 1.11.26.
Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26.

CVE-2019-19844: Potential account hijack via password reset form
================================================================

By submitting a suitably crafted email address making use of Unicode
characters, that compared equal to an existing user email when lower-cased for
comparison, an attacker could be sent a password reset token for the matched
account.

In order to avoid this vulnerability, password reset requests now compare the
submitted email using the stricter, recommended algorithm for case-insensitive
comparison of two identifiers from `Unicode Technical Report 36, section
2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
sent to the email address on record rather than the submitted address.

.. __: https://www.unicode.org/reports/tr36/#Recommendations_General

Bugfixes
========
@@ -694,6 +694,48 @@ def test_invalid_email(self):
self.assertFalse(form.is_valid())
self.assertEqual(form['email'].errors, [_('Enter a valid email address.')])

def test_user_email_unicode_collision(self):
User.objects.create_user('mike123', 'mike@example.org', 'test123')
User.objects.create_user('mike456', 'mıke@example.org', 'test123')
data = {'email': 'mıke@example.org'}
form = PasswordResetForm(data)
if six.PY2:
self.assertFalse(form.is_valid())
else:
self.assertTrue(form.is_valid())
form.save()
self.assertEqual(len(mail.outbox), 1)
self.assertEqual(mail.outbox[0].to, ['mıke@example.org'])

def test_user_email_domain_unicode_collision(self):
User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
User.objects.create_user('mike456', 'mike@ıxample.org', 'test123')
data = {'email': 'mike@ıxample.org'}
form = PasswordResetForm(data)
self.assertTrue(form.is_valid())
form.save()
self.assertEqual(len(mail.outbox), 1)
self.assertEqual(mail.outbox[0].to, ['mike@ıxample.org'])

def test_user_email_unicode_collision_nonexistent(self):
User.objects.create_user('mike123', 'mike@example.org', 'test123')
data = {'email': 'mıke@example.org'}
form = PasswordResetForm(data)
if six.PY2:
self.assertFalse(form.is_valid())
else:
self.assertTrue(form.is_valid())
form.save()
self.assertEqual(len(mail.outbox), 0)

def test_user_email_domain_unicode_collision_nonexistent(self):
User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
data = {'email': 'mike@ıxample.org'}
form = PasswordResetForm(data)
self.assertTrue(form.is_valid())
form.save()
self.assertEqual(len(mail.outbox), 0)

def test_nonexistent_email(self):
"""
Test nonexistent email address. This should not fail because it would

0 comments on commit f4cff43

Please sign in to comment.
You can’t perform that action at this time.