HTTPSify emailed links containing secret tokens

Thanks to @edent for the report!
reddit-archive · Dec 1, 2014 · 9f1f5a2 · 9f1f5a2
1 parent df75e16
commit 9f1f5a2
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/r2/r2/lib/emailer.py b/r2/r2/lib/emailer.py
@@ -60,7 +60,8 @@ def verify_email(user, dest=None):
     Award.take_away("verified_email", user)
 
     token = EmailVerificationToken._new(user)
-    emaillink = 'http://' + g.domain + '/verification/' + token._id
+    base = g.https_endpoint or g.origin
+    emaillink = base + '/verification/' + token._id
     if dest:
         emaillink += '?dest=%s' % dest
     g.log.debug("Generated email verification link: " + emaillink)

diff --git a/r2/r2/models/token.py b/r2/r2/models/token.py
@@ -751,4 +751,5 @@ def post_url(self):
 
     def confirm_url(self):
         # Full URL; for emailing, PM'ing, etc.
-        return "http://%s/awards/confirm/%s" % (g.domain, self._id)
+        base = g.https_endpoint or g.origin
+        return "%s/awards/confirm/%s" % (base, self._id)