From 37bf8efebd76fc78bfe53e28e65e26231bbbbf05 Mon Sep 17 00:00:00 2001
From: Raul Barreras <rbarreras@nebraska.edu>
Date: Fri, 15 Dec 2023 09:20:14 -0600
Subject: [PATCH] code review: is the vuln gone?

---
 src/app/app.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/app/app.py b/src/app/app.py
index 517fe1b..06dd0ec 100644
--- a/src/app/app.py
+++ b/src/app/app.py
@@ -11,9 +11,10 @@ def index():
     return render_template('index.html')
     
 
-@app.route("/email-settings/opt-out")
+@app.route("/email-settings/opt-out", methods=["GET"])
 def email_opt_out():
-    email = request.values.get("email")
+    email = request.form.get("email", "user@example.com")
+    # Temporal fix to prevent SSTI. Fix ASAP!!!
     output = Jinja2.from_string('You have opted out ' + email + 
                                 ' from our service.' + 
                                 '<p>Go back to <a href="/">home</a>.</p>').render()
-- 
GitLab