From 54db5a513bcafa97a36e9f6dfa31d3c61fa8217b Mon Sep 17 00:00:00 2001
From: Mohamed ElKalioby <mkalioby@mkalioby.com>
Date: Mon, 10 Oct 2022 17:20:47 +0300
Subject: [PATCH] Fixing CVE-2022-42731

---
 mfa/FIDO2.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/mfa/FIDO2.py b/mfa/FIDO2.py
index dcdf9f2..a2b5b5b 100644
--- a/mfa/FIDO2.py
+++ b/mfa/FIDO2.py
@@ -16,7 +16,7 @@
 import datetime
 from .Common import get_redirect_url
 from django.utils import timezone
-
+from django.http import JsonResponse
 
 def recheck(request):
     """Starts FIDO2 recheck"""
@@ -49,13 +49,15 @@ def begin_registeration(request):
 def complete_reg(request):
     """Completes the registeration, called by API"""
     try:
+        if not "fido_state" in request.session:
+            return JsonResponse({'status': 'ERR', "message": "FIDO Status can't be found, please try again"})
         data = cbor.decode(request.body)
 
         client_data = CollectedClientData(data['clientDataJSON'])
         att_obj = AttestationObject((data['attestationObject']))
         server = getServer()
         auth_data = server.register_complete(
-            request.session['fido_state'],
+            request.session.pop['fido_state'],
             client_data,
             att_obj
         )
@@ -75,7 +77,7 @@ def complete_reg(request):
             client.captureException()
         except:
             pass
-        return HttpResponse(simplejson.dumps({'status': 'ERR', "message": "Error on server, please try again later"}))
+        return JsonResponse({'status': 'ERR', "message": "Error on server, please try again later"})
 
 
 def start(request):