Escape callback error code (#710)
This commit is contained in:
parent
feec15f070
commit
cf13958d7d
|
@ -176,6 +176,7 @@ try:
|
|||
from flask import request
|
||||
from flask import session
|
||||
from flask import url_for
|
||||
import markupsafe
|
||||
except ImportError: # pragma: NO COVER
|
||||
raise ImportError('The flask utilities require flask 0.9 or newer.')
|
||||
|
||||
|
@ -388,6 +389,7 @@ class UserOAuth2(object):
|
|||
if 'error' in request.args:
|
||||
reason = request.args.get(
|
||||
'error_description', request.args.get('error', ''))
|
||||
reason = markupsafe.escape(reason)
|
||||
return ('Authorization failed: {0}'.format(reason),
|
||||
httplib.BAD_REQUEST)
|
||||
|
||||
|
|
|
@ -258,6 +258,18 @@ class FlaskOAuth2Tests(unittest.TestCase):
|
|||
self.assertEqual(response.status_code, httplib.BAD_REQUEST)
|
||||
self.assertIn('something', response.data.decode('utf-8'))
|
||||
|
||||
# Error supplied to callback with html
|
||||
with self.app.test_client() as client:
|
||||
with client.session_transaction() as session:
|
||||
session['google_oauth2_csrf_token'] = 'tokenz'
|
||||
|
||||
response = client.get(
|
||||
'/oauth2callback?state={}&error=<script>something<script>')
|
||||
self.assertEqual(response.status_code, httplib.BAD_REQUEST)
|
||||
self.assertIn(
|
||||
'<script>something<script>',
|
||||
response.data.decode('utf-8'))
|
||||
|
||||
# CSRF mismatch
|
||||
with self.app.test_client() as client:
|
||||
with client.session_transaction() as session:
|
||||
|
|
Loading…
Reference in New Issue