[bridgedb/master] Fix error in usage of redirectTo() with a malicious request.

20 Dec 2017

commit 77776deaad380d9a48524c69533bf566a7a1406b
Author: Isis Lovecruft <isis@torproject.org>
Date:   Tue Nov 28 19:43:10 2017 +0000

    Fix error in usage of redirectTo() with a malicious request.
    
     * FIXES #24460: https://bugs.torproject.org/24460
---
 bridgedb/distributors/https/server.py |  6 ++++--
 bridgedb/test/test_https_server.py    | 14 ++++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/bridgedb/distributors/https/server.py b/bridgedb/distributors/https/server.py
index 352a838..d4771a6 100644
--- a/bridgedb/distributors/https/server.py
+++ b/bridgedb/distributors/https/server.py
@@ -410,8 +410,10 @@ class CaptchaProtectedResource(CustomErrorHandlingResource, CSPResource):
         try:
             challenge = request.args['captcha_challenge_field'][0]
             response = request.args['captcha_response_field'][0]
-        except Exception:  # pragma: no cover
-            return redirectTo(request.URLPath(), request)
+        except Exception as error:
+            logging.debug(("Client CAPTCHA solution to HTTPS distributor server"
+                           "didn't include correct HTTP arguments: %s" % error))
+            return redirectTo(type(b'')(request.URLPath()), request)
         return (challenge, response)
 
     def checkSolution(self, request):
diff --git a/bridgedb/test/test_https_server.py b/bridgedb/test/test_https_server.py
index dbd177f..13ec20e 100644
--- a/bridgedb/test/test_https_server.py
+++ b/bridgedb/test/test_https_server.py
@@ -372,6 +372,20 @@ class GimpCaptchaProtectedResourceTests(unittest.TestCase):
         self.assertEqual(challenge, expectedChallenge)
         self.assertEqual(response, expectedResponse)
 
+    def test_extractClientSolution_missing_arguments(self):
+        """A solution with missing arguments (the solution field) should
+        return a very agressive redirect to the originally requested,
+        CAPTCHA-protected page.
+        """
+        expectedChallenge = '23232323232323232323'
+
+        self.request.method = b'POST'
+        self.request.addArg('captcha_challenge_field', expectedChallenge)
+
+        response = self.captchaResource.extractClientSolution(self.request)
+
+        self.assertIn("click here", response)
+
     def test_checkSolution(self):
         """checkSolution() should return False is the solution is invalid."""
         expectedChallenge = '23232323232323232323'

    

isis＠torproject.org

tags

participants (1)