[3.0.x] Fixed CVE-2019-19844 -- Used verified user email for password reset requests.

Backport of 5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70 from master. Co-Authored-By: Florian Apolloner <florian@apolloner.eu>
author: Simon Charette <charette.s@gmail.com> 2019-12-16 21:51:57 -0500
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2019-12-18 09:14:44 +0100
commit: 302a4ff1e8b1c798aab97673909c7a3dfda42c26 (patch)
tree: c0c0ba7c5c06c6127d5717b70b69b525dfb05dda /tests/auth_tests/test_forms.py
parent: 33d2cda672f21c204aca17615feada68a663a701 (diff)
1 files changed, 36 insertions, 0 deletions
diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
index 40e3050144..4e5f8e3094 100644
--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
@@ -804,6 +804,42 @@ class PasswordResetFormTest(TestDataMixin, TestCase):
         self.assertFalse(form.is_valid())
         self.assertEqual(form['email'].errors, [_('Enter a valid email address.')])
 
+    def test_user_email_unicode_collision(self):
+        User.objects.create_user('mike123', 'mike@example.org', 'test123')
+        User.objects.create_user('mike456', 'mıke@example.org', 'test123')
+        data = {'email': 'mıke@example.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].to, ['mıke@example.org'])
+
+    def test_user_email_domain_unicode_collision(self):
+        User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+        User.objects.create_user('mike456', 'mike@ıxample.org', 'test123')
+        data = {'email': 'mike@ıxample.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].to, ['mike@ıxample.org'])
+
+    def test_user_email_unicode_collision_nonexistent(self):
+        User.objects.create_user('mike123', 'mike@example.org', 'test123')
+        data = {'email': 'mıke@example.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_user_email_domain_unicode_collision_nonexistent(self):
+        User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+        data = {'email': 'mike@ıxample.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 0)
+
     def test_nonexistent_email(self):
         """
         Test nonexistent email address. This should not fail because it would
author	Simon Charette <charette.s@gmail.com>	2019-12-16 21:51:57 -0500
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2019-12-18 09:14:44 +0100
commit	302a4ff1e8b1c798aab97673909c7a3dfda42c26 (patch)
tree	c0c0ba7c5c06c6127d5717b70b69b525dfb05dda /tests/auth_tests/test_forms.py
parent	33d2cda672f21c204aca17615feada68a663a701 (diff)