Remove trailing slash ability from password reset's submit_token endpoint (#6074)

Remove trailing slash ability from the password reset submit_token endpoint. Since we provide the link in an email, and have never sent it with a trailing slash, there's no point for us to accept them on the endpoint.
This commit is contained in:
Andrew Morgan 2019-09-20 14:58:37 +01:00 committed by GitHub
parent aeb40f355c
commit 7763dd3e95
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 1 deletions

1
changelog.d/6074.feature Normal file
View File

@ -0,0 +1 @@
Prevent password reset's submit_token endpoint from accepting trailing slashes.

View File

@ -200,7 +200,7 @@ class PasswordResetSubmitTokenServlet(RestServlet):
"""Handles 3PID validation token submission"""
PATTERNS = client_patterns(
"/password_reset/(?P<medium>[^/]*)/submit_token/*$", releases=(), unstable=True
"/password_reset/(?P<medium>[^/]*)/submit_token$", releases=(), unstable=True
)
def __init__(self, hs):