allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject allura git commit: [#8140] reset current session id during password reset, so even a theoretical shared copy of the session wouldn't stay valid either
Date Mon, 12 Dec 2016 22:19:59 GMT
Repository: allura
Updated Branches:
  refs/heads/db/8140 [created] 7a2ff28ca


[#8140] reset current session id during password reset, so even a theoretical shared copy
of the session wouldn't stay valid either


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/7a2ff28c
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/7a2ff28c
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/7a2ff28c

Branch: refs/heads/db/8140
Commit: 7a2ff28ca1c85c4b1bc5e643161a387e38c5b010
Parents: 5971940
Author: Dave Brondsema <dave@brondsema.net>
Authored: Mon Dec 12 17:19:42 2016 -0500
Committer: Dave Brondsema <dave@brondsema.net>
Committed: Mon Dec 12 17:19:42 2016 -0500

----------------------------------------------------------------------
 Allura/allura/controllers/auth.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/7a2ff28c/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 932f106..284f750 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -23,7 +23,6 @@ from urlparse import urlparse, urljoin
 
 import bson
 import tg
-from allura.lib.exceptions import InvalidRecoveryCode, MultifactorRateLimitError
 from tg import expose, flash, redirect, validate, config, session
 from tg.decorators import with_trailing_slash, without_trailing_slash
 from pylons import tmpl_context as c, app_globals as g
@@ -31,6 +30,7 @@ from pylons import request, response
 from webob import exc as wexc
 from paste.deploy.converters import asbool
 from cryptography.hazmat.primitives.twofactor import InvalidToken
+from beaker.session import _session_id
 
 import allura.tasks.repo_tasks
 from allura import model as M
@@ -39,6 +39,7 @@ from allura.lib.security import require_authenticated, has_access
 from allura.lib import helpers as h
 from allura.lib import plugin
 from allura.lib.decorators import require_post, reconfirm_auth
+from allura.lib.exceptions import InvalidRecoveryCode, MultifactorRateLimitError
 from allura.lib.repository import RepositoryApp
 from allura.lib.widgets import (
     SubscriptionForm,
@@ -640,6 +641,8 @@ class PreferencesController(BaseController):
         ap = plugin.AuthenticationProvider.get(request)
         try:
             ap.set_password(c.user, kw['oldpw'], kw['pw'])
+            session['_id'] = _session_id()  # new one so even if this session had been intercepted
somehow, its invalid
+            session.save()
             c.user.set_tool_data('allura', pwd_reset_preserve_session=session.id)
             c.user.set_tool_data('AuthPasswordReset', hash='', hash_expiry='')
 


Mime
View raw message