From f0cc93abd3ecd369d91f3d76118c142c058edb6e Mon Sep 17 00:00:00 2001 From: Ozzie Isaacs Date: Sat, 6 Jan 2024 16:07:43 +0100 Subject: [PATCH] Sanitze username for logging --- cps/web.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/cps/web.py b/cps/web.py index d9c54016..67d22ec7 100755 --- a/cps/web.py +++ b/cps/web.py @@ -1354,21 +1354,21 @@ def login(): @limiter.limit("3/minute", key_func=lambda: request.form.get('username', "").strip().lower()) def login_post(): form = request.form.to_dict() + username = form.get('username', "").strip().lower().replace("\n","\\n").replace("\r","") try: limiter.check() except RateLimitExceeded: flash(_(u"Please wait one minute before next login"), category="error") - return render_login(form.get("username", ""), form.get("password", "")) + return render_login(username, form.get("password", "")) if current_user is not None and current_user.is_authenticated: return redirect(url_for('web.index')) if config.config_login_type == constants.LOGIN_LDAP and not services.ldap: log.error(u"Cannot activate LDAP authentication") flash(_(u"Cannot activate LDAP authentication"), category="error") - user = ub.session.query(ub.User).filter(func.lower(ub.User.name) == form.get('username', "").strip().lower()) \ - .first() + user = ub.session.query(ub.User).filter(func.lower(ub.User.name) == username).first() remember_me = bool(form.get('remember_me')) if config.config_login_type == constants.LOGIN_LDAP and services.ldap and user and form['password'] != "": - login_result, error = services.ldap.bind_user(form['username'], form['password']) + login_result, error = services.ldap.bind_user(username, form['password']) if login_result: log.debug(u"You are now logged in as: '{}'".format(user.name)) return handle_login_user(user, @@ -1388,7 +1388,7 @@ def login_post(): flash(_(u"Could not login: %(message)s", message=error), category="error") else: ip_address = request.headers.get('X-Forwarded-For', request.remote_addr) - log.warning('LDAP Login failed for user "%s" IP-address: %s', form['username'], ip_address) + log.warning('LDAP Login failed for user "%s" IP-address: %s', username, ip_address) flash(_(u"Wrong Username or Password"), category="error") else: ip_address = request.headers.get('X-Forwarded-For', request.remote_addr) @@ -1397,7 +1397,7 @@ def login_post(): ret, __ = reset_password(user.id) if ret == 1: flash(_(u"New Password was send to your email address"), category="info") - log.info('Password reset for user "%s" IP-address: %s', form['username'], ip_address) + log.info('Password reset for user "%s" IP-address: %s', username, ip_address) else: log.error(u"An unknown error occurred. Please try again later") flash(_(u"An unknown error occurred. Please try again later."), category="error") @@ -1413,9 +1413,9 @@ def login_post(): _(u"You are now logged in as: '%(nickname)s'", nickname=user.name), "success") else: - log.warning('Login failed for user "{}" IP-address: {}'.format(form['username'], ip_address)) + log.warning('Login failed for user "{}" IP-address: {}'.format(username, ip_address)) flash(_(u"Wrong Username or Password"), category="error") - return render_login(form.get("username", ""), form.get("password", "")) + return render_login(username, form.get("password", "")) @web.route('/logout')