Fixed #27518 -- Prevented possibie password reset token leak via HTTP Referer header.

Thanks Florian Apolloner for contributing to this patch and Collin Anderson, Markus Holtermann, and Tim Graham for review.
author: Romain Garrigues <romain.garrigues@makina-corpus.com> 2017-01-13 14:17:54 +0000
committer: Tim Graham <timograham@gmail.com> 2017-01-13 09:17:54 -0500
commit: ede59ef6f39ff8a6443c2b24df0208ef6ec41ee0 (patch)
tree: ee8c155dbc4520371e06fe3251e45e283fc5115d /tests/auth_tests/test_tokens.py
parent: 91023d79ec70df9289271e63a67675ee51e7dea8 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/tests/auth_tests/test_tokens.py b/tests/auth_tests/test_tokens.py
index 99f9741a0a..7ff3f15f3d 100644
--- a/tests/auth_tests/test_tokens.py
+++ b/tests/auth_tests/test_tokens.py
@@ -62,3 +62,10 @@ class TokenGeneratorTest(TestCase):
         # This will put a 14-digit base36 timestamp into the token, which is too large.
         with self.assertRaises(ValueError):
             p0._make_token_with_timestamp(user, 175455491841851871349)
+
+    def test_check_token_with_nonexistent_token_and_user(self):
+        user = User.objects.create_user('tokentestuser', 'test2@example.com', 'testpw')
+        p0 = PasswordResetTokenGenerator()
+        tk1 = p0.make_token(user)
+        self.assertIs(p0.check_token(None, tk1), False)
+        self.assertIs(p0.check_token(user, None), False)
author	Romain Garrigues <romain.garrigues@makina-corpus.com>	2017-01-13 14:17:54 +0000
committer	Tim Graham <timograham@gmail.com>	2017-01-13 09:17:54 -0500
commit	ede59ef6f39ff8a6443c2b24df0208ef6ec41ee0 (patch)
tree	ee8c155dbc4520371e06fe3251e45e283fc5115d /tests/auth_tests/test_tokens.py
parent	91023d79ec70df9289271e63a67675ee51e7dea8 (diff)