diff options
| author | Caleb Forbes Davis V <caldavis@gmail.com> | 2011-08-28 22:57:51 -0500 |
|---|---|---|
| committer | Caleb Forbes Davis V <caldavis@gmail.com> | 2011-08-29 00:18:35 -0500 |
| commit | 24966c43bddbd291c4a067568c50fafad8b6f295 (patch) | |
| tree | dcc6a455c3708ea67c23d8ef088cabeb5c229040 | |
| parent | fac7b8c9b160db7c6c85f9677acfb7bc7650c23f (diff) | |
| download | mediagoblin-24966c43bddbd291c4a067568c50fafad8b6f295.tar.lz mediagoblin-24966c43bddbd291c4a067568c50fafad8b6f295.tar.xz mediagoblin-24966c43bddbd291c4a067568c50fafad8b6f295.zip | |
Avoids informing browser whether the username or email is a match
- pretends to have sent the email with the URL to change the password
regardless of whether or not the email was actually sent. This
avoids leaking user information to the browser
| -rw-r--r-- | mediagoblin/auth/views.py | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py index 50276442..7ee89dfb 100644 --- a/mediagoblin/auth/views.py +++ b/mediagoblin/auth/views.py @@ -204,10 +204,7 @@ def forgot_password(request): {'$or': [{'username': request.POST['username']}, {'email': request.POST['username']}]}) - if not user: - fp_form.username.errors.append( - u"Sorry, the username doesn't exists") - else: + if user: user['fp_verification_key'] = unicode(uuid.uuid4()) user['fp_token_expire'] = datetime.datetime.now() + \ datetime.timedelta(days=10) @@ -215,7 +212,8 @@ def forgot_password(request): send_fp_verification_email(user, request) - return redirect(request, 'mediagoblin.auth.fp_email_sent') + # do not reveal whether or not there is a matching user, just move along + return redirect(request, 'mediagoblin.auth.fp_email_sent') return render_to_response( request, |