Permalink
Browse files

Merge branch 'branch-2.23'

  • Loading branch information...
cornelinux committed Sep 7, 2018
2 parents aded3ad + 4e462f9 commit a3edc09beffa2104f357fe24971ea3211ce40751
@@ -1,3 +1,8 @@
Version 2.23.2, 2018-09-07

Fixes:
* Fix problem with empty username (#1227)

Version 2.23.1, 2018-09-06

Fixes:
@@ -15,7 +15,7 @@ info:
@echo "make ppa - upload to launchpad stable repo"

#VERSION=1.3~dev5
SHORT_VERSION=2.23.1
SHORT_VERSION=2.23.2
#SHORT_VERSION=2.10~dev7
VERSION_JESSIE=${SHORT_VERSION}
VERSION=${SHORT_VERSION}
@@ -1,3 +1,10 @@
python-privacyidea (2.23.2-1trusty) trusty; urgency=medium

Fixes:
* Fix problem with empty username (#1227)

-- Cornelius Kölbel <cornelius.koelbel@netknights.it> Fri, 07 Sep 2018 12:00:00 +0200

python-privacyidea (2.23.1-1trusty) trusty; urgency=medium

Fixes:
@@ -1,3 +1,10 @@
privacyidea-venv (2.23.2-1) jessie; urgency=medium

Fixes:
* Fix problem with empty username (#1227)

-- Cornelius Kölbel <cornelius.koelbel@netknights.it> Fri, 07 Sep 2018 12:00:00 +0200

privacyidea-venv (2.23.1-1) jessie; urgency=medium

Fixes:
@@ -12,4 +12,7 @@ override_dh_virtualenv:
override_dh_shlibdeps:
dh_shlibdeps --exclude=numpy --exclude=psycopg2 --exclude=libz --exclude=png16

override_dh_strip:
dh_strip --exclude=cffi --exclude=PIL --exclude=Pillow


@@ -17,7 +17,7 @@
# built documents.
#
# The short X.Y version.
version = '2.23.1'
version = '2.23.2'
# The full version, including alpha/beta/rc tags.
#release = '2.16dev5'
release = version
@@ -164,6 +164,7 @@ def after_request(response):


@validate_blueprint.route('/offlinerefill', methods=['POST'])
@check_user_or_serial_in_request(request)
@event("validate_offlinerefill", request, g)
def offlinerefill():
"""
@@ -84,10 +84,15 @@ def __init__(self, request):
def __call__(self, func):
@functools.wraps(func)
def check_user_or_serial_in_request_wrapper(*args, **kwds):
user = self.request.all_data.get("user")
serial = self.request.all_data.get("serial")
user = self.request.all_data.get("user", "").strip()
serial = self.request.all_data.get("serial", "").strip()
if not serial and not user:
raise ParameterError(_("You need to specify a serial or a user."))
if "*" in serial:
raise ParameterError(_("Invalid serial number."))
if "%" in user:
raise ParameterError(_("Invalid user."))

f_result = func(*args, **kwds)
return f_result

@@ -5,7 +5,7 @@
import sys

#VERSION="2.1dev4"
VERSION="2.23.1"
VERSION="2.23.2"

# Taken from kennethreitz/requests/setup.py
package_directory = os.path.realpath(os.path.dirname(__file__))
@@ -2193,6 +2193,40 @@ def test_30_challenge_text(self):
remove_token("CHAL3")
remove_token("CHAL4")

def test_01_check_invalid_input(self):
# Empty username
with self.app.test_request_context('/validate/check',
method='POST',
data={"user": " ",
"pass": ""}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 400, res)
result = json.loads(res.data).get("result")
error_msg = result.get("error").get("message")
self.assertEqual("ERR905: You need to specify a serial or a user.", error_msg)

# wrong username
with self.app.test_request_context('/validate/check',
method='POST',
data={"user": "h%h",
"pass": ""}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 400, res)
result = json.loads(res.data).get("result")
error_msg = result.get("error").get("message")
self.assertEqual("ERR905: Invalid user.", error_msg)

# wrong serial
with self.app.test_request_context('/validate/check',
method='POST',
data={"serial": "*",
"pass": ""}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 400, res)
result = json.loads(res.data).get("result")
error_msg = result.get("error").get("message")
self.assertEqual("ERR905: Invalid serial number.", error_msg)


class AChallengeResponse(MyTestCase):

0 comments on commit a3edc09

Please sign in to comment.