Bug 878035: Do not disclose whether a user account exists or not when a user…

Bugzilla/Token.pm

@@ -122,13 +122,15 @@ sub IssuePasswordToken {
 
     ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon;
 
-    my ($token, $token_ts) = _create_token($user->id, 'password', remote_ip());
+    my $ip_addr = remote_ip();
+    my ($token, $token_ts) = _create_token($user->id, 'password', $ip_addr);
 
     # Mail the user the token along with instructions for using it.
     my $template = Bugzilla->template_inner($user->setting('lang'));
     my $vars = {};
 
     $vars->{'token'} = $token;
+    $vars->{'ip_addr'} = $ip_addr;
     $vars->{'emailaddress'} = $user->email;
     $vars->{'expiration_ts'} = ctime($token_ts + MAX_TOKEN_AGE * 86400);
     # The user is not logged in (else he wouldn't request a new password).

template/en/default/account/password/forgotten-password.txt.tmpl

@@ -12,7 +12,9 @@ Subject:  [% terms.Bugzilla %] Change Password Request
 X-Bugzilla-Type: admin
 
 You have (or someone impersonating you has) requested to change your 
-[%+ terms.Bugzilla %] password. To complete the change, visit the following link:
+[%+ terms.Bugzilla %] password. The request originated from [% ip_addr %].
+
+To complete the change, visit the following link:
 
 [%+ urlbase %]token.cgi?t=[% token FILTER uri %]&a=cfmpw
 
@@ -24,3 +26,7 @@ this request, visit the following link:
 If you do nothing, the request will lapse after [% constants.MAX_TOKEN_AGE %] days
 (on [% expiration_ts FILTER time("%B %e, %Y at %H:%M %Z", timezone) %]) or when you
 log in successfully.
+
+If you think someone tried to compromise your account, please inform
+[%+ Param('maintainer') %] with the IP address reported above
+and the exact time when you got this email.

template/en/default/global/messages.html.tmpl

@@ -571,7 +571,8 @@
 
   [% ELSIF message_tag == "password_change_request" %]
     [% title = "Request to Change Password" %]
-    A token for changing your password has been emailed to you.
+    A token for changing your password has been emailed to
+    <em>[% login_name FILTER html %]</em>.
     Follow the instructions in that email to change your password.
 
   [% ELSIF message_tag == "password_changed" %]

token.cgi

@@ -124,17 +124,18 @@ sub requestChangePassword {
       or ThrowUserError("login_needed_for_password_change");
 
     check_email_syntax($login_name);
-    my $user = Bugzilla::User->check($login_name);
+    my $user = new Bugzilla::User({ name => $login_name });
 
     # Make sure the user account is active.
-    if (!$user->is_enabled) {
+    if ($user && !$user->is_enabled) {
         ThrowUserError('account_disabled',
                        {disabled_reason => get_text('account_disabled', {account => $login_name})});
     }
 
-    Bugzilla::Token::IssuePasswordToken($user);
+    Bugzilla::Token::IssuePasswordToken($user) if $user;
 
     $vars->{'message'} = "password_change_request";
+    $vars->{'login_name'} = $login_name;
 
     print $cgi->header();
     $template->process("global/message.html.tmpl", $vars)