heckyel/mediagoblin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Avoids informing browser whether the username or email is a match

Browse Source 
- pretends to have sent the email with the URL to change the password
  regardless of whether or not the email was actually sent. This
  avoids leaking user information to the browser
This commit is contained in:
Caleb Forbes Davis V 2011-08-28 22:57:51 -05:00
parent fac7b8c9b1
commit 24966c43bd
1 changed files with 3 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
mediagoblin/auth/views.py
View File

@ -204,10 +204,7 @@ def forgot_password(request):
{'$or': [{'username': request.POST['username']},
{'email': request.POST['username']}]})
if not user:
fp_form.username.errors.append(
u"Sorry, the username doesn't exists")
else:
if user:
user['fp_verification_key'] = unicode(uuid.uuid4())
user['fp_token_expire'] = datetime.datetime.now() + \
datetime.timedelta(days=10)
@ -215,7 +212,8 @@ def forgot_password(request):
send_fp_verification_email(user, request)
return redirect(request, 'mediagoblin.auth.fp_email_sent')
# do not reveal whether or not there is a matching user, just move along
return redirect(request, 'mediagoblin.auth.fp_email_sent')
return render_to_response(
request,