Fixing email link injection bug
Several templates used a variable set by the user (the request host header). This led to a vulnerability where an attacker could inject their domain name into these templates (i.e., activation emails). This patch fixes this vulnerability. LMS-532
Showing
- common/djangoapps/edxmako/middleware.py 2 additions, 1 deletioncommon/djangoapps/edxmako/middleware.py
- common/djangoapps/student/tests/test_email.py 27 additions, 0 deletionscommon/djangoapps/student/tests/test_email.py
- common/djangoapps/util/request.py 17 additions, 0 deletionscommon/djangoapps/util/request.py
- common/djangoapps/util/tests/test_request.py 39 additions, 0 deletionscommon/djangoapps/util/tests/test_request.py
- lms/envs/common.py 1 addition, 0 deletionslms/envs/common.py
Loading
Please register or sign in to comment