diff options
| author | Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> | 2019-09-20 14:58:37 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-20 14:58:37 +0100 |
| commit | 7763dd3e9592909cfe3d7763f4a68b8135fc2bdc (patch) | |
| tree | b128227a4796efd11a0ad16ef168ac40e47cbb5c | |
| parent | Ensure email validation link parameters are URL-encoded (#6063) (diff) | |
| download | synapse-7763dd3e9592909cfe3d7763f4a68b8135fc2bdc.tar.xz | |
Remove trailing slash ability from password reset's submit_token endpoint (#6074)
Remove trailing slash ability from the password reset submit_token endpoint. Since we provide the link in an email, and have never sent it with a trailing slash, there's no point for us to accept them on the endpoint.
| -rw-r--r-- | changelog.d/6074.feature | 1 | ||||
| -rw-r--r-- | synapse/rest/client/v2_alpha/account.py | 2 |
2 files changed, 2 insertions, 1 deletions
diff --git a/changelog.d/6074.feature b/changelog.d/6074.feature new file mode 100644 index 0000000000..b7aa9c99d8 --- /dev/null +++ b/changelog.d/6074.feature @@ -0,0 +1 @@ +Prevent password reset's submit_token endpoint from accepting trailing slashes. \ No newline at end of file diff --git a/synapse/rest/client/v2_alpha/account.py b/synapse/rest/client/v2_alpha/account.py index 1791f4d79b..3c5b23dc80 100644 --- a/synapse/rest/client/v2_alpha/account.py +++ b/synapse/rest/client/v2_alpha/account.py @@ -200,7 +200,7 @@ class PasswordResetSubmitTokenServlet(RestServlet): """Handles 3PID validation token submission""" PATTERNS = client_patterns( - "/password_reset/(?P<medium>[^/]*)/submit_token/*$", releases=(), unstable=True + "/password_reset/(?P<medium>[^/]*)/submit_token$", releases=(), unstable=True ) def __init__(self, hs): |