diff options
| author | Jon Wayne Parrott <jonwayne@google.com> | 2017-05-09 12:30:32 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-05-09 12:30:32 -0700 |
| commit | cf13958d7d66dfa99492ac0cc91d75e276066be1 (patch) | |
| tree | dde63505da466376219e3d8c6a1f4e60cf4aa162 | |
| parent | feec15f070903069347b9386a24fb73148f97411 (diff) | |
| download | oauth2client-cf13958d7d66dfa99492ac0cc91d75e276066be1.tar.gz | |
Escape callback error code (#710)
| -rw-r--r-- | oauth2client/contrib/flask_util.py | 2 | ||||
| -rw-r--r-- | tests/contrib/test_flask_util.py | 12 |
2 files changed, 14 insertions, 0 deletions
diff --git a/oauth2client/contrib/flask_util.py b/oauth2client/contrib/flask_util.py index 6d7d8f7..fabd613 100644 --- a/oauth2client/contrib/flask_util.py +++ b/oauth2client/contrib/flask_util.py @@ -176,6 +176,7 @@ try: from flask import request from flask import session from flask import url_for + import markupsafe except ImportError: # pragma: NO COVER raise ImportError('The flask utilities require flask 0.9 or newer.') @@ -388,6 +389,7 @@ class UserOAuth2(object): if 'error' in request.args: reason = request.args.get( 'error_description', request.args.get('error', '')) + reason = markupsafe.escape(reason) return ('Authorization failed: {0}'.format(reason), httplib.BAD_REQUEST) diff --git a/tests/contrib/test_flask_util.py b/tests/contrib/test_flask_util.py index fa018bd..112bff0 100644 --- a/tests/contrib/test_flask_util.py +++ b/tests/contrib/test_flask_util.py @@ -258,6 +258,18 @@ class FlaskOAuth2Tests(unittest.TestCase): self.assertEqual(response.status_code, httplib.BAD_REQUEST) self.assertIn('something', response.data.decode('utf-8')) + # Error supplied to callback with html + with self.app.test_client() as client: + with client.session_transaction() as session: + session['google_oauth2_csrf_token'] = 'tokenz' + + response = client.get( + '/oauth2callback?state={}&error=<script>something<script>') + self.assertEqual(response.status_code, httplib.BAD_REQUEST) + self.assertIn( + '<script>something<script>', + response.data.decode('utf-8')) + # CSRF mismatch with self.app.test_client() as client: with client.session_transaction() as session: |