Security update - Password could be unset from settings form unexpectedly (#808)

pull/818/head
dgtlmoon 2 years ago committed by GitHub
parent e318253f31
commit 6f072b42e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -703,7 +703,14 @@ def changedetection_app(config=None, datastore_o=None):
return redirect(url_for('settings_page')) return redirect(url_for('settings_page'))
if form.validate(): if form.validate():
datastore.data['settings']['application'].update(form.data['application']) # Don't set password to False when a password is set - should be only removed with the `removepassword` button
app_update = dict(deepcopy(form.data['application']))
# Never update password with '' or False (Added by wtforms when not in submission)
if 'password' in app_update and not app_update['password']:
del (app_update['password'])
datastore.data['settings']['application'].update(app_update)
datastore.data['settings']['requests'].update(form.data['requests']) datastore.data['settings']['requests'].update(form.data['requests'])
if not os.getenv("SALTED_PASS", False) and len(form.application.form.password.encrypted_password): if not os.getenv("SALTED_PASS", False) and len(form.application.form.password.encrypted_password):

@ -19,7 +19,6 @@ def test_check_access_control(app, client):
) )
assert b"Password protection enabled." in res.data assert b"Password protection enabled." in res.data
assert b"LOG OUT" not in res.data
# Check we hit the login # Check we hit the login
res = c.get(url_for("index"), follow_redirects=True) res = c.get(url_for("index"), follow_redirects=True)
@ -38,7 +37,42 @@ def test_check_access_control(app, client):
follow_redirects=True follow_redirects=True
) )
# Yes we are correctly logged in
assert b"LOG OUT" in res.data assert b"LOG OUT" in res.data
# 598 - Password should be set and not accidently removed
res = c.post(
url_for("settings_page"),
data={
"requests-time_between_check-minutes": 180,
'application-fetch_backend': "html_requests"},
follow_redirects=True
)
res = c.get(url_for("logout"),
follow_redirects=True)
res = c.get(url_for("settings_page"),
follow_redirects=True)
assert b"Login" in res.data
res = c.get(url_for("login"))
assert b"Login" in res.data
res = c.post(
url_for("login"),
data={"password": "foobar"},
follow_redirects=True
)
# Yes we are correctly logged in
assert b"LOG OUT" in res.data
return
res = c.get(url_for("settings_page")) res = c.get(url_for("settings_page"))
# Menu should be available now # Menu should be available now

Loading…
Cancel
Save