Fix a nasty CSRF vulnerability. An attacker could be phishing account data by...

Fix a nasty CSRF vulnerability. An attacker could be phishing account data by spoofed URLs from our legit sender relay

debexpo/controllers/password_recover.py

@@ -77,7 +77,7 @@ class PasswordRecoverController(BaseController):
         meta.session.commit()
 
         recipient = u.email
-        password_reset_url = 'http://' + request.host + url.current(
+        password_reset_url = 'http://' + config['debexpo.sitename'] + url.current(
             action='actually_reset_password', id=password_reset_data.temporary_auth_key)
         email.send([recipient], password_reset_url=password_reset_url)
 

debexpo/controllers/register.py

@@ -84,7 +84,7 @@ class RegisterController(BaseController):
         """
         log.debug('Sending activation email')
         email = Email('register_activate')
-        activate_url = 'http://' + request.host + url.current(action='activate', id=key)
+        activate_url = 'http://' + config['debexpo.sitename'] + url.current(action='activate', id=key)
         email.send([recipient], activate_url=activate_url)
 
     @validate(schema=RegisterForm(), form='register')