Mateusz Mandera 551b387164 CVE-2021-43791: Validate confirmation keys in /accounts/register/ codepath. ...

A confirmation link takes a user to the check_prereg_key_and_redirect
endpoint, before getting redirected to POST to /accounts/register/. The
problem was that validation was happening in the check_prereg_key_and_redirect
part and not in /accounts/register/ - meaning that one could submit an
expired confirmation key and be able to register.

We fix this by moving validation into /accouts/register/.

2021-12-01 23:13:11 +00:00

32 KiB

Raw Blame History

View Raw