Fixed #27518 -- Prevented possibie password reset token leak via HTTP Referer header.

Thanks Florian Apolloner for contributing to this patch and Collin Anderson, Markus Holtermann, and Tim Graham for review.
author: Romain Garrigues <romain.garrigues@makina-corpus.com> 2017-01-13 14:17:54 +0000
committer: Tim Graham <timograham@gmail.com> 2017-01-13 09:17:54 -0500
commit: ede59ef6f39ff8a6443c2b24df0208ef6ec41ee0 (patch)
tree: ee8c155dbc4520371e06fe3251e45e283fc5115d /tests/auth_tests/test_templates.py
parent: 91023d79ec70df9289271e63a67675ee51e7dea8 (diff)
1 files changed, 10 insertions, 3 deletions
diff --git a/tests/auth_tests/test_templates.py b/tests/auth_tests/test_templates.py
index 9414f8b299..a1d14c9774 100644
--- a/tests/auth_tests/test_templates.py
+++ b/tests/auth_tests/test_templates.py
@@ -3,12 +3,15 @@ from django.contrib.auth.models import User
 from django.contrib.auth.tokens import PasswordResetTokenGenerator
 from django.contrib.auth.views import (
     PasswordChangeDoneView, PasswordChangeView, PasswordResetCompleteView,
-    PasswordResetConfirmView, PasswordResetDoneView, PasswordResetView,
+    PasswordResetDoneView, PasswordResetView,
 )
 from django.test import RequestFactory, TestCase, override_settings
+from django.urls import reverse
 from django.utils.encoding import force_bytes, force_text
 from django.utils.http import urlsafe_base64_encode
 
+from .client import PasswordResetConfirmClient
+
 
 @override_settings(ROOT_URLCONF='auth_tests.urls')
 class AuthTemplateTests(TestCase):
@@ -34,16 +37,20 @@ class AuthTemplateTests(TestCase):
 
     def test_PasswordResetConfirmView_invalid_token(self):
         # PasswordResetConfirmView invalid token
-        response = PasswordResetConfirmView.as_view(success_url='dummy/')(self.request, uidb64='Bad', token='Bad')
+        client = PasswordResetConfirmClient()
+        url = reverse('password_reset_confirm', kwargs={'uidb64': 'Bad', 'token': 'Bad-Token'})
+        response = client.get(url)
         self.assertContains(response, '<title>Password reset unsuccessful</title>')
         self.assertContains(response, '<h1>Password reset unsuccessful</h1>')
 
     def test_PasswordResetConfirmView_valid_token(self):
         # PasswordResetConfirmView valid token
+        client = PasswordResetConfirmClient()
         default_token_generator = PasswordResetTokenGenerator()
         token = default_token_generator.make_token(self.user)
         uidb64 = force_text(urlsafe_base64_encode(force_bytes(self.user.pk)))
-        response = PasswordResetConfirmView.as_view(success_url='dummy/')(self.request, uidb64=uidb64, token=token)
+        url = reverse('password_reset_confirm', kwargs={'uidb64': uidb64, 'token': token})
+        response = client.get(url)
         self.assertContains(response, '<title>Enter new password</title>')
         self.assertContains(response, '<h1>Enter new password</h1>')
author	Romain Garrigues <romain.garrigues@makina-corpus.com>	2017-01-13 14:17:54 +0000
committer	Tim Graham <timograham@gmail.com>	2017-01-13 09:17:54 -0500
commit	ede59ef6f39ff8a6443c2b24df0208ef6ec41ee0 (patch)
tree	ee8c155dbc4520371e06fe3251e45e283fc5115d /tests/auth_tests/test_templates.py
parent	91023d79ec70df9289271e63a67675ee51e7dea8 (diff)