From 5aa69bac96e0a82d773d1aa13a817862ccfc555f Mon Sep 17 00:00:00 2001 From: Cobus Carstens Date: Thu, 1 Feb 2018 13:30:26 +0200 Subject: [PATCH] Only use the username if it is actually provided (#112) * Only use the username if it is actually provided * Test that unspecified usernames cannot be blocked * Added test to prevent Coveralls from complaining about a coverage regression. --- defender/tests.py | 17 +++++++++++++++++ defender/utils.py | 2 +- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/defender/tests.py b/defender/tests.py index 6b9b9cd..59b708a 100644 --- a/defender/tests.py +++ b/defender/tests.py @@ -226,6 +226,23 @@ class AccessAttemptTest(DefenderTestCase): self.assertNotIn(UPPER_USERNAME, utils.get_blocked_usernames()) self.assertIn(UPPER_USERNAME.lower(), utils.get_blocked_usernames()) + def test_empty_username_cannot_be_blocked(self): + """ + Test that an empty username, or one that is None, cannot be blocked. + """ + for username in ["", None]: + for i in range(0, config.FAILURE_LIMIT + 2): + ip = '74.125.239.{0}.'.format(i) + self._login(username=username, remote_addr=ip) + + self.assertNotIn(username, utils.get_blocked_usernames()) + + def test_lowercase(self): + """ + Test that the lowercase(None) returns None. + """ + self.assertEquals(utils.lower_username(None), None) + def test_cooling_off(self): """ Tests if the cooling time allows a user to login """ diff --git a/defender/utils.py b/defender/utils.py index d0aeddd..43476ae 100644 --- a/defender/utils.py +++ b/defender/utils.py @@ -202,7 +202,7 @@ def record_failed_attempt(ip_address, username): ip_block = True user_block = False - if not config.DISABLE_USERNAME_LOCKOUT: + if username and not config.DISABLE_USERNAME_LOCKOUT: user_count = increment_key(get_username_attempt_cache_key(username)) # if over the limit, add to block if user_count > config.FAILURE_LIMIT: