[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [bridgedb/develop] Fix error in usage of redirectTo() with a malicious request.
commit 77776deaad380d9a48524c69533bf566a7a1406b
Author: Isis Lovecruft <isis@xxxxxxxxxxxxxx>
Date: Tue Nov 28 19:43:10 2017 +0000
Fix error in usage of redirectTo() with a malicious request.
* FIXES #24460: https://bugs.torproject.org/24460
---
bridgedb/distributors/https/server.py | 6 ++++--
bridgedb/test/test_https_server.py | 14 ++++++++++++++
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/bridgedb/distributors/https/server.py b/bridgedb/distributors/https/server.py
index 352a838..d4771a6 100644
--- a/bridgedb/distributors/https/server.py
+++ b/bridgedb/distributors/https/server.py
@@ -410,8 +410,10 @@ class CaptchaProtectedResource(CustomErrorHandlingResource, CSPResource):
try:
challenge = request.args['captcha_challenge_field'][0]
response = request.args['captcha_response_field'][0]
- except Exception: # pragma: no cover
- return redirectTo(request.URLPath(), request)
+ except Exception as error:
+ logging.debug(("Client CAPTCHA solution to HTTPS distributor server"
+ "didn't include correct HTTP arguments: %s" % error))
+ return redirectTo(type(b'')(request.URLPath()), request)
return (challenge, response)
def checkSolution(self, request):
diff --git a/bridgedb/test/test_https_server.py b/bridgedb/test/test_https_server.py
index dbd177f..13ec20e 100644
--- a/bridgedb/test/test_https_server.py
+++ b/bridgedb/test/test_https_server.py
@@ -372,6 +372,20 @@ class GimpCaptchaProtectedResourceTests(unittest.TestCase):
self.assertEqual(challenge, expectedChallenge)
self.assertEqual(response, expectedResponse)
+ def test_extractClientSolution_missing_arguments(self):
+ """A solution with missing arguments (the solution field) should
+ return a very agressive redirect to the originally requested,
+ CAPTCHA-protected page.
+ """
+ expectedChallenge = '23232323232323232323'
+
+ self.request.method = b'POST'
+ self.request.addArg('captcha_challenge_field', expectedChallenge)
+
+ response = self.captchaResource.extractClientSolution(self.request)
+
+ self.assertIn("click here", response)
+
def test_checkSolution(self):
"""checkSolution() should return False is the solution is invalid."""
expectedChallenge = '23232323232323232323'
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits