Ensure email validation link parameters are URL-encoded (#6063)
The validation links sent via email had their query parameters inserted without any URL-encoding. Surprisingly this didn't seem to cause any issues, but if a user were to put a `/` in their client_secret it could lead to problems.
This commit is contained in:
parent
3ac614eb6c
commit
aeb40f355c
|
@ -0,0 +1 @@
|
|||
Ensure query parameters in email validation links are URL-encoded.
|
|
@ -136,10 +136,11 @@ class Mailer(object):
|
|||
group together multiple email sending attempts
|
||||
sid (str): The generated session ID
|
||||
"""
|
||||
params = {"token": token, "client_secret": client_secret, "sid": sid}
|
||||
link = (
|
||||
self.hs.config.public_baseurl
|
||||
+ "_matrix/client/unstable/password_reset/email/submit_token"
|
||||
"?token=%s&client_secret=%s&sid=%s" % (token, client_secret, sid)
|
||||
+ "_matrix/client/unstable/password_reset/email/submit_token?%s"
|
||||
% urllib.parse.urlencode(params)
|
||||
)
|
||||
|
||||
template_vars = {"link": link}
|
||||
|
@ -163,10 +164,11 @@ class Mailer(object):
|
|||
group together multiple email sending attempts
|
||||
sid (str): The generated session ID
|
||||
"""
|
||||
params = {"token": token, "client_secret": client_secret, "sid": sid}
|
||||
link = (
|
||||
self.hs.config.public_baseurl
|
||||
+ "_matrix/client/unstable/registration/email/submit_token"
|
||||
"?token=%s&client_secret=%s&sid=%s" % (token, client_secret, sid)
|
||||
+ "_matrix/client/unstable/registration/email/submit_token?%s"
|
||||
% urllib.parse.urlencode(params)
|
||||
)
|
||||
|
||||
template_vars = {"link": link}
|
||||
|
|
Loading…
Reference in New Issue