diff --git a/config.py b/config.py
index f5de080..aed54fb 100644
--- a/config.py
+++ b/config.py
@@ -213,11 +213,13 @@ CACHES = {
"LOCATION": [
"127.0.0.1:11211",
],
+ #"OPTIONS": {"MAX_ENTRIES": 1000000},
},
"filesystem": {
"BACKEND": "django.core.cache.backends.filebased.FileBasedCache",
"LOCATION": "/var/tmp/ivatar_cache",
"TIMEOUT": 900, # 15 minutes
+ "OPTIONS": {"MAX_ENTRIES": 1000000},
},
}
diff --git a/ivatar/ivataraccount/models.py b/ivatar/ivataraccount/models.py
index fe7fd14..ca3455e 100644
--- a/ivatar/ivataraccount/models.py
+++ b/ivatar/ivataraccount/models.py
@@ -10,7 +10,7 @@ from io import BytesIO
from os import urandom
from urllib.error import HTTPError, URLError
from ivatar.utils import urlopen, Bluesky
-from urllib.parse import urlsplit, urlunsplit
+from urllib.parse import urlsplit, urlunsplit, quote
from PIL import Image
from django.contrib.auth.models import User
@@ -20,6 +20,7 @@ from django.utils import timezone
from django.http import HttpResponseRedirect
from django.urls import reverse_lazy, reverse
from django.utils.translation import gettext_lazy as _
+from django.core.cache import cache
from django.core.exceptions import ObjectDoesNotExist
from django.core.mail import send_mail
from django.template.loader import render_to_string
@@ -362,6 +363,22 @@ class ConfirmedEmail(BaseAccountModel):
self.digest_sha256 = hashlib.sha256(
self.email.strip().lower().encode("utf-8")
).hexdigest()
+
+ # We need to manually expire the page caches
+ # TODO: Verify this works as expected
+ # First check if we already have an ID
+ if self.pk:
+ cache_url = reverse_lazy(
+ "assign_photo_email", kwargs={"email_id": int(self.pk)}
+ )
+
+ cache_key = f"views.decorators.cache.cache_page.{quote(str(cache_url))}"
+ if cache.has_key(cache_key):
+ cache.delete(cache_key)
+ logger.error("Successfully cleaned up cached page: %s" % cache_key)
+ else:
+ logger.error("Page %s wasn't cached.", cache_key)
+
return super().save(force_insert, force_update, using, update_fields)
def __str__(self):
diff --git a/ivatar/utils.py b/ivatar/utils.py
index ccd9771..3e50824 100644
--- a/ivatar/utils.py
+++ b/ivatar/utils.py
@@ -217,33 +217,33 @@ def is_trusted_url(url, url_filters):
"""
(scheme, netloc, path, params, query, fragment) = urlparse(url)
- for filter in url_filters:
- if "schemes" in filter:
- schemes = filter["schemes"]
+ for ufilter in url_filters:
+ if "schemes" in ufilter:
+ schemes = ufilter["schemes"]
if scheme not in schemes:
continue
- if "host_equals" in filter:
- host_equals = filter["host_equals"]
+ if "host_equals" in ufilter:
+ host_equals = ufilter["host_equals"]
if netloc != host_equals:
continue
- if "host_suffix" in filter:
- host_suffix = filter["host_suffix"]
+ if "host_suffix" in ufilter:
+ host_suffix = ufilter["host_suffix"]
if not netloc.endswith(host_suffix):
continue
- if "path_prefix" in filter:
- path_prefix = filter["path_prefix"]
+ if "path_prefix" in ufilter:
+ path_prefix = ufilter["path_prefix"]
if not path.startswith(path_prefix):
continue
- if "url_prefix" in filter:
- url_prefix = filter["url_prefix"]
+ if "url_prefix" in ufilter:
+ url_prefix = ufilter["url_prefix"]
if not url.startswith(url_prefix):
continue
diff --git a/templates/security.html b/templates/security.html
index 8f94861..a935185 100644
--- a/templates/security.html
+++ b/templates/security.html
@@ -68,6 +68,12 @@ ivatar/Libravatar more secure by reporting security issues to us.
MR_NETWORK & Farzan ʷᵒⁿᵈᵉʳ:
Spotted a problematic use of SECRET_KEY in the production environment. Many thanks for reporting it to us!
+
+
+ Ezequiel Fernandez
+ Spotted public accessible secret keys in our test instance! We appreciate him notifying us privately about this issue!
+