From cf13958d7d66dfa99492ac0cc91d75e276066be1 Mon Sep 17 00:00:00 2001 From: Jon Wayne Parrott Date: Tue, 9 May 2017 12:30:32 -0700 Subject: [PATCH] Escape callback error code (#710) --- oauth2client/contrib/flask_util.py | 2 ++ tests/contrib/test_flask_util.py | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/oauth2client/contrib/flask_util.py b/oauth2client/contrib/flask_util.py index 6d7d8f7..fabd613 100644 --- a/oauth2client/contrib/flask_util.py +++ b/oauth2client/contrib/flask_util.py @@ -176,6 +176,7 @@ try: from flask import request from flask import session from flask import url_for + import markupsafe except ImportError: # pragma: NO COVER raise ImportError('The flask utilities require flask 0.9 or newer.') @@ -388,6 +389,7 @@ class UserOAuth2(object): if 'error' in request.args: reason = request.args.get( 'error_description', request.args.get('error', '')) + reason = markupsafe.escape(reason) return ('Authorization failed: {0}'.format(reason), httplib.BAD_REQUEST) diff --git a/tests/contrib/test_flask_util.py b/tests/contrib/test_flask_util.py index fa018bd..112bff0 100644 --- a/tests/contrib/test_flask_util.py +++ b/tests/contrib/test_flask_util.py @@ -258,6 +258,18 @@ class FlaskOAuth2Tests(unittest.TestCase): self.assertEqual(response.status_code, httplib.BAD_REQUEST) self.assertIn('something', response.data.decode('utf-8')) + # Error supplied to callback with html + with self.app.test_client() as client: + with client.session_transaction() as session: + session['google_oauth2_csrf_token'] = 'tokenz' + + response = client.get( + '/oauth2callback?state={}&error=