Mercurial > libervia-backend
changeset 2208:c316c6f6a737
plugin invitations: fixed leak of uuid in jid
author | Goffi <goffi@goffi.org> |
---|---|
date | Sun, 26 Mar 2017 21:23:03 +0200 |
parents | d662bdd682b2 |
children | ea41cf1e6d29 |
files | src/plugins/plugin_misc_invitations.py |
diffstat | 1 files changed, 3 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/plugins/plugin_misc_invitations.py Sun Mar 26 18:08:05 2017 +0200 +++ b/src/plugins/plugin_misc_invitations.py Sun Mar 26 21:23:03 2017 +0200 @@ -95,7 +95,8 @@ **kwargs: keywords arguments which can have the following keys, unset values are equivalent to None: jid_(jid.JID, None): jid to use for invitation, the jid will be created using XEP-0077 if the jid has no user part, an anonymous account will be used (no XMPP account created in this case) - if None, automatically generate an account name (in the form "invitation-[UUID]@domain.tld") + if None, automatically generate an account name (in the form "invitation-[random UUID]@domain.tld") (note that this UUID is not the + same as the invitation one, as jid can be used publicly (leaking the UUID), and invitation UUID give access to account. in case of conflict, a suffix number is added to the account until a free one if found (with a failure if SUFFIX_MAX is reached) password(unicode, None): password to use (will be used for XMPP account and profile) None to automatically generate one @@ -165,7 +166,7 @@ if not domain: # TODO: fallback to profile's domain raise ValueError(_(u"You need to specify xmpp_domain in sat.conf")) - jid_ = u"invitation-{uuid}@{domain}".format(uuid=id_, domain=domain) + jid_ = u"invitation-{uuid}@{domain}".format(uuid=shortuuid.uuid(), domain=domain) jid_ = jid.JID(jid_) if jid_.user: # we don't register account if there is no user as anonymous login is then used