sso: Adjust URL to CAPTCHA page needed by Django security fix

Fixes: #2170. Starting with Django 2.2.25, re_path behavior has changed. When the regular expression ends with a '$', a full match is performed with the regular expression. This breaks the behavior of how we are currently matching the locked URLs for CAPTCHA based login forms. Tests: - All tests are done on Debian stable with Django 2.2.25 and on Debian unstable with Django 3.2.10. - Go to home page, click on login link. Enter wrong password three times. CAPTCHA page is show with URL ending with /locked. Type the correct password and login will be successful. - Install tt-rss. Logout. Go to /tt-rss/, redirection will happen to login page. Enter wrong password three times. CAPTCHA page is show with URL ending with /locked. Type the correct password and login will be successful. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2026-01-21 07:55:00 +00:00 · 2022-01-11 20:32:08 -08:00 · 2022-01-11 20:32:08 -08:00 · 895d8cffbc
commit 895d8cffbc
parent 08eb54ad0f
3 changed files with 9 additions and 8 deletions
--- a/plinth/modules/sso/urls.py
+++ b/plinth/modules/sso/urls.py
@ -9,11 +9,15 @@ from stronghold.decorators import public

 from plinth.utils import non_admin_view

-from .views import SSOLoginView, refresh
+from .views import CaptchaLoginView, SSOLoginView, refresh

 urlpatterns = [
    re_path(r'^accounts/sso/login/$',
            public(axes_dispatch(SSOLoginView.as_view())), name='sso-login'),
    re_path(r'^accounts/sso/refresh/$', non_admin_view(refresh),
            name='sso-refresh'),
+
+    # Locked URL from django-axes
+    re_path(r'accounts/sso/login/locked/$', public(CaptchaLoginView.as_view()),
+            name='locked_out'),
 ]
--- a/plinth/modules/users/urls.py
+++ b/plinth/modules/users/urls.py
@ -7,7 +7,8 @@ from axes.decorators import axes_dispatch
 from django.urls import re_path, reverse_lazy
 from stronghold.decorators import public

-from plinth.modules.sso.views import SSOLoginView, SSOLogoutView
+from plinth.modules.sso.views import (CaptchaLoginView, SSOLoginView,
+                                      SSOLogoutView)
 from plinth.utils import non_admin_view

 from . import views
@ -33,4 +34,6 @@ urlpatterns = [
            {'next_page': reverse_lazy('index')}, name='logout'),
    re_path(r'^users/firstboot/$', public(views.FirstBootView.as_view()),
            name='firstboot'),
+    re_path(r'accounts/login/locked/$', public(CaptchaLoginView.as_view()),
+            name='locked_out'),
 ]
--- a/plinth/urls.py
+++ b/plinth/urls.py
@ -6,8 +6,6 @@ from captcha import views as cviews
 from django.urls import re_path
 from stronghold.decorators import public

-from plinth.modules.sso.views import CaptchaLoginView
-
 from . import views

 urlpatterns = [
@ -28,10 +26,6 @@ urlpatterns = [
    re_path(r'^captcha/refresh/$', public(cviews.captcha_refresh),
            name='captcha-refresh'),

-    # locked url from django-axes
-    re_path(r'locked/$', public(CaptchaLoginView.as_view()),
-            name='locked_out'),
-
    # Notifications
    re_path(r'^notification/(?P<id>[A-Za-z0-9-=]+)/dismiss/$',
            views.notification_dismiss, name='notification_dismiss')