summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorSimon Charette <charette.s@gmail.com>2019-12-16 21:51:57 -0500
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2019-12-18 09:17:28 +0100
commitf4cff43bf921fcea6a29b726eb66767f67753fa2 (patch)
tree65bc904184f7d81b587270220734b2e6e0b301c2 /tests
parenta2355740ed76ca9461b34d65beb450c0156f3224 (diff)
[1.11.x] Fixed CVE-2019-19844 -- Used verified user email for password reset requests.
Backport of 5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70 from master. Co-Authored-By: Florian Apolloner <florian@apolloner.eu>
Diffstat (limited to 'tests')
-rw-r--r--tests/auth_tests/test_forms.py42
1 files changed, 42 insertions, 0 deletions
diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
index e09285277f..213d58b773 100644
--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
@@ -694,6 +694,48 @@ class PasswordResetFormTest(TestDataMixin, TestCase):
self.assertFalse(form.is_valid())
self.assertEqual(form['email'].errors, [_('Enter a valid email address.')])
+ def test_user_email_unicode_collision(self):
+ User.objects.create_user('mike123', 'mike@example.org', 'test123')
+ User.objects.create_user('mike456', 'mıke@example.org', 'test123')
+ data = {'email': 'mıke@example.org'}
+ form = PasswordResetForm(data)
+ if six.PY2:
+ self.assertFalse(form.is_valid())
+ else:
+ self.assertTrue(form.is_valid())
+ form.save()
+ self.assertEqual(len(mail.outbox), 1)
+ self.assertEqual(mail.outbox[0].to, ['mıke@example.org'])
+
+ def test_user_email_domain_unicode_collision(self):
+ User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+ User.objects.create_user('mike456', 'mike@ıxample.org', 'test123')
+ data = {'email': 'mike@ıxample.org'}
+ form = PasswordResetForm(data)
+ self.assertTrue(form.is_valid())
+ form.save()
+ self.assertEqual(len(mail.outbox), 1)
+ self.assertEqual(mail.outbox[0].to, ['mike@ıxample.org'])
+
+ def test_user_email_unicode_collision_nonexistent(self):
+ User.objects.create_user('mike123', 'mike@example.org', 'test123')
+ data = {'email': 'mıke@example.org'}
+ form = PasswordResetForm(data)
+ if six.PY2:
+ self.assertFalse(form.is_valid())
+ else:
+ self.assertTrue(form.is_valid())
+ form.save()
+ self.assertEqual(len(mail.outbox), 0)
+
+ def test_user_email_domain_unicode_collision_nonexistent(self):
+ User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+ data = {'email': 'mike@ıxample.org'}
+ form = PasswordResetForm(data)
+ self.assertTrue(form.is_valid())
+ form.save()
+ self.assertEqual(len(mail.outbox), 0)
+
def test_nonexistent_email(self):
"""
Test nonexistent email address. This should not fail because it would