Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-20 22:42:53 -05:00
Code Issues Activity

🐛 Fixed special chars in single use token (#12290)

Browse source 
no refs

- The token generation logic for single use token was replacing only the first instance of + or / to make the token URL safe, instead of replacing all instances which caused a bug where token was not validated properly in case it included multiple + or / in it.

- The fix ensures replacing all the + or / in the token with URL safe _ or - so it can be properly validated via magic link
This commit is contained in:
Rishabh Garg 2020-10-20 11:49:20 +05:30 committed by GitHub
parent 635580f291
commit 7182efdb88
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
core/server/models/single-use-token.js
View file

@ -10,8 +10,8 @@ const SingleUseToken = ghostBookshelf.Model.extend({
.randomBytes(192 / 8)
.toString('base64')
// base64url encoding means the tokens are URL safe
.replace('+', '-')
.replace('/', '_')
.replace(/\+/g, '-')
.replace(/\//g, '_')
};
}
}, {