From 895d8cffbce8aa2c5fcb2f8e891607d5851d7baf Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Tue, 11 Jan 2022 20:32:08 -0800 Subject: [PATCH] sso: Adjust URL to CAPTCHA page needed by Django security fix Fixes: #2170. Starting with Django 2.2.25, re_path behavior has changed. When the regular expression ends with a '$', a full match is performed with the regular expression. This breaks the behavior of how we are currently matching the locked URLs for CAPTCHA based login forms. Tests: - All tests are done on Debian stable with Django 2.2.25 and on Debian unstable with Django 3.2.10. - Go to home page, click on login link. Enter wrong password three times. CAPTCHA page is show with URL ending with /locked. Type the correct password and login will be successful. - Install tt-rss. Logout. Go to /tt-rss/, redirection will happen to login page. Enter wrong password three times. CAPTCHA page is show with URL ending with /locked. Type the correct password and login will be successful. Signed-off-by: Sunil Mohan Adapa Reviewed-by: James Valleroy --- plinth/modules/sso/urls.py | 6 +++++- plinth/modules/users/urls.py | 5 ++++- plinth/urls.py | 6 ------ 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/plinth/modules/sso/urls.py b/plinth/modules/sso/urls.py index ba4d84280..457314d73 100644 --- a/plinth/modules/sso/urls.py +++ b/plinth/modules/sso/urls.py @@ -9,11 +9,15 @@ from stronghold.decorators import public from plinth.utils import non_admin_view -from .views import SSOLoginView, refresh +from .views import CaptchaLoginView, SSOLoginView, refresh urlpatterns = [ re_path(r'^accounts/sso/login/$', public(axes_dispatch(SSOLoginView.as_view())), name='sso-login'), re_path(r'^accounts/sso/refresh/$', non_admin_view(refresh), name='sso-refresh'), + + # Locked URL from django-axes + re_path(r'accounts/sso/login/locked/$', public(CaptchaLoginView.as_view()), + name='locked_out'), ] diff --git a/plinth/modules/users/urls.py b/plinth/modules/users/urls.py index 5d6fb84e2..b95391f75 100644 --- a/plinth/modules/users/urls.py +++ b/plinth/modules/users/urls.py @@ -7,7 +7,8 @@ from axes.decorators import axes_dispatch from django.urls import re_path, reverse_lazy from stronghold.decorators import public -from plinth.modules.sso.views import SSOLoginView, SSOLogoutView +from plinth.modules.sso.views import (CaptchaLoginView, SSOLoginView, + SSOLogoutView) from plinth.utils import non_admin_view from . import views @@ -33,4 +34,6 @@ urlpatterns = [ {'next_page': reverse_lazy('index')}, name='logout'), re_path(r'^users/firstboot/$', public(views.FirstBootView.as_view()), name='firstboot'), + re_path(r'accounts/login/locked/$', public(CaptchaLoginView.as_view()), + name='locked_out'), ] diff --git a/plinth/urls.py b/plinth/urls.py index 48ba8e336..912983869 100644 --- a/plinth/urls.py +++ b/plinth/urls.py @@ -6,8 +6,6 @@ from captcha import views as cviews from django.urls import re_path from stronghold.decorators import public -from plinth.modules.sso.views import CaptchaLoginView - from . import views urlpatterns = [ @@ -28,10 +26,6 @@ urlpatterns = [ re_path(r'^captcha/refresh/$', public(cviews.captcha_refresh), name='captcha-refresh'), - # locked url from django-axes - re_path(r'locked/$', public(CaptchaLoginView.as_view()), - name='locked_out'), - # Notifications re_path(r'^notification/(?P[A-Za-z0-9-=]+)/dismiss/$', views.notification_dismiss, name='notification_dismiss')