From ecec1e5051f7d9bcb4011601dec615a9941d2c12 Mon Sep 17 00:00:00 2001 From: Max Goodman Date: Wed, 8 Jan 2014 14:27:34 -0800 Subject: [PATCH] Don't log in / log out in the password reset flow. This prevents using valid password reset tokens to force a logout CSRF, as reported by Mathias Karlsson. --- r2/r2/controllers/api.py | 9 +++++++-- r2/r2/controllers/front.py | 5 ----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py index 51b5d45d8..068950705 100755 --- a/r2/r2/controllers/api.py +++ b/r2/r2/controllers/api.py @@ -2761,8 +2761,13 @@ class ApiController(RedditController, OAuth2ResourceController): g.log.warning("%s did a password reset for %s via %s", request.ip, user.name, token._id) - self._login(jquery, user) - jquery.redirect('/') + # if the token is for the current user, their cookies will be + # invalidated and they'll have to log in again. + if not c.user_is_loggedin or c.user._fullname == token.user_id: + jquery.redirect('/login') + + form.set_html(".status", _("password updated")) + @noresponse(VUser()) diff --git a/r2/r2/controllers/front.py b/r2/r2/controllers/front.py index b791068b2..9bc53516a 100755 --- a/r2/r2/controllers/front.py +++ b/r2/r2/controllers/front.py @@ -1288,11 +1288,6 @@ class FormsController(RedditController): done = referer_path.startswith(request.fullpath) elif not token: return self.redirect("/password?expired=true") - else: - #if another user is logged-in, log them out - if c.user_is_loggedin: - self.logout() - return self.redirect(request.path) token_user = Account._by_fullname(token.user_id, data=True)