self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2024-12-12 10:45:38 +02:00
Code Issues Releases Activity

Regenerate session-ids to prevent session fixation

Browse Source
This commit is contained in:
Florent Daigniere 2021-02-22 20:43:52 +01:00
parent d459c37432
commit a1d32568d6
2 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/admin/mailu/ui/views/base.py
View File

@ -17,6 +17,7 @@ def login():
if form.validate_on_submit():
user = models.User.login(form.email.data, form.pw.data)
if user:
flask.session.regenerate()
flask_login.login_user(user)
endpoint = flask.request.args.get('next', '.index')
return flask.redirect(flask.url_for(endpoint)
@ -30,6 +31,7 @@ def login():
@access.authenticated
def logout():
flask_login.logout_user()
flask.session.destroy()
return flask.redirect(flask.url_for('.index'))

2
core/admin/mailu/ui/views/users.py
View File

@ -119,6 +119,7 @@ def user_password(user_email):
if form.pw.data != form.pw2.data:
flask.flash('Passwords do not match', 'error')
else:
flask.session.regenerate()
user.set_password(form.pw.data)
models.db.session.commit()
flask.flash('Password updated for %s' % user)
@ -186,6 +187,7 @@ def user_signup(domain_name=None):
if domain.has_email(form.localpart.data):
flask.flash('Email is already used', 'error')
else:
flask.session.regenerate()
user = models.User(domain=domain)
form.populate_obj(user)
user.set_password(form.pw.data)