mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Fixed content type check in login_password
login_password is expecting that request content_type will be 'application/x-www-form-urlencoded'. Current check is an equality check of content_type http header. RFC 3875 defines that content type can contain parameters separated by ';'. For example: when firefox is doing ajax call it sets the request header to 'application/x-www-form-urlencoded; charset=UTF-8' which leads to negative result. This patch makes the check more benevolent to allow such values. Patch is a fixup for: https://fedorahosted.org/freeipa/ticket/2095
This commit is contained in:
parent
3cd0217b30
commit
610420bd2a
@ -894,7 +894,7 @@ class login_password(Backend, KerberosSession, HTTP_Status):
|
||||
|
||||
# Get the user and password parameters from the request
|
||||
content_type = environ.get('CONTENT_TYPE', '').lower()
|
||||
if content_type != 'application/x-www-form-urlencoded':
|
||||
if not content_type.startswith('application/x-www-form-urlencoded'):
|
||||
return self.bad_request(environ, start_response, "Content-Type must be application/x-www-form-urlencoded")
|
||||
|
||||
method = environ.get('REQUEST_METHOD', '').upper()
|
||||
|
Loading…
Reference in New Issue
Block a user