Fixed CVE-2019-19844 -- Used verified user email for password reset requests.

Co-Authored-By: Florian Apolloner <florian@apolloner.eu>
author: Simon Charette <charette.s@gmail.com> 2019-12-16 21:51:57 -0500
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2019-12-18 09:11:39 +0100
commit: 5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70 (patch)
tree: 77991a30e32bb8f18971a89f23461b66714931fe /tests/auth_tests/test_forms.py
parent: f4647179ccd13c852563205273163b641d4b01a5 (diff)
1 files changed, 36 insertions, 0 deletions
diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
index 40e3050144..4e5f8e3094 100644
--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
@@ -804,6 +804,42 @@ class PasswordResetFormTest(TestDataMixin, TestCase):
         self.assertFalse(form.is_valid())
         self.assertEqual(form['email'].errors, [_('Enter a valid email address.')])
 
+    def test_user_email_unicode_collision(self):
+        User.objects.create_user('mike123', 'mike@example.org', 'test123')
+        User.objects.create_user('mike456', 'mıke@example.org', 'test123')
+        data = {'email': 'mıke@example.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].to, ['mıke@example.org'])
+
+    def test_user_email_domain_unicode_collision(self):
+        User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+        User.objects.create_user('mike456', 'mike@ıxample.org', 'test123')
+        data = {'email': 'mike@ıxample.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(mail.outbox[0].to, ['mike@ıxample.org'])
+
+    def test_user_email_unicode_collision_nonexistent(self):
+        User.objects.create_user('mike123', 'mike@example.org', 'test123')
+        data = {'email': 'mıke@example.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 0)
+
+    def test_user_email_domain_unicode_collision_nonexistent(self):
+        User.objects.create_user('mike123', 'mike@ixample.org', 'test123')
+        data = {'email': 'mike@ıxample.org'}
+        form = PasswordResetForm(data)
+        self.assertTrue(form.is_valid())
+        form.save()
+        self.assertEqual(len(mail.outbox), 0)
+
     def test_nonexistent_email(self):
         """
         Test nonexistent email address. This should not fail because it would
author	Simon Charette <charette.s@gmail.com>	2019-12-16 21:51:57 -0500
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2019-12-18 09:11:39 +0100
commit	5b1fbcef7a8bec991ebe7b2a18b5d5a95d72cb70 (patch)
tree	77991a30e32bb8f18971a89f23461b66714931fe /tests/auth_tests/test_forms.py
parent	f4647179ccd13c852563205273163b641d4b01a5 (diff)