sso: Adjust URL to CAPTCHA page needed by Django security fix (!2169) · Merge requests · FreedomBox / FreedomBox

Sunil Mohan Adapa requested to merge sunilmohan/freedombox:fix-captcha-page-url into master Jan 12, 2022

Starting with Django 2.2.25, re_path behavior has changed. When the regular expression ends with a '$', a full match is performed with the regular expression. This breaks the behavior of how we are currently matching the locked URLs for CAPTCHA based login forms.

Tests:

All tests are done on Debian stable with Django 2.2.25 and on Debian unstable with Django 3.2.10.
Go to home page, click on login link. Enter wrong password three times. CAPTCHA page is show with URL ending with /locked. Type the correct password and login will be successful.
Install tt-rss. Logout. Go to /tt-rss/, redirection will happen to login page. Enter wrong password three times. CAPTCHA page is show with URL ending with /locked. Type the correct password and login will be successful.

sso: Adjust URL to CAPTCHA page needed by Django security fix

Merge request reports