Skip to content

bugzilla
bugzilla
Commit a905395d authored by Frédéric Buclin's avatar Frédéric Buclin
Browse files
Options

Bug 878035: Do not disclose whether a user account exists or not when a user…

Bug 878035: Do not disclose whether a user account exists or not when a user clicks "forgot password" r=dkl a=LpSolit
parent bb45718c
Hide whitespace changes
Inline Side-by-side
Showing with 16 additions and 6 deletions
Bugzilla/Token.pm
View file @ a905395d
...@@ -122,13 +122,15 @@ sub IssuePasswordToken { ...@@ -122,13 +122,15 @@ sub IssuePasswordToken {
ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon; ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon;
my ($token, $token_ts) = _create_token($user->id, 'password', remote_ip()); my $ip_addr = remote_ip();
my ($token, $token_ts) = _create_token($user->id, 'password', $ip_addr);
# Mail the user the token along with instructions for using it. # Mail the user the token along with instructions for using it.
my $template = Bugzilla->template_inner($user->setting('lang')); my $template = Bugzilla->template_inner($user->setting('lang'));
my $vars = {}; my $vars = {};
$vars->{'token'} = $token; $vars->{'token'} = $token;
$vars->{'ip_addr'} = $ip_addr;
$vars->{'emailaddress'} = $user->email; $vars->{'emailaddress'} = $user->email;
$vars->{'expiration_ts'} = ctime($token_ts + MAX_TOKEN_AGE * 86400); $vars->{'expiration_ts'} = ctime($token_ts + MAX_TOKEN_AGE * 86400);
# The user is not logged in (else he wouldn't request a new password). # The user is not logged in (else he wouldn't request a new password).
......
template/en/default/account/password/forgotten-password.txt.tmpl
View file @ a905395d
...@@ -12,7 +12,9 @@ Subject: [% terms.Bugzilla %] Change Password Request ...@@ -12,7 +12,9 @@ Subject: [% terms.Bugzilla %] Change Password Request
X-Bugzilla-Type: admin X-Bugzilla-Type: admin
You have (or someone impersonating you has) requested to change your You have (or someone impersonating you has) requested to change your
[%+ terms.Bugzilla %] password. To complete the change, visit the following link: [%+ terms.Bugzilla %] password. The request originated from [% ip_addr %].
To complete the change, visit the following link:
[%+ urlbase %]token.cgi?t=[% token FILTER uri %]&a=cfmpw [%+ urlbase %]token.cgi?t=[% token FILTER uri %]&a=cfmpw
...@@ -24,3 +26,7 @@ this request, visit the following link: ...@@ -24,3 +26,7 @@ this request, visit the following link:
If you do nothing, the request will lapse after [% constants.MAX_TOKEN_AGE %] days If you do nothing, the request will lapse after [% constants.MAX_TOKEN_AGE %] days
(on [% expiration_ts FILTER time("%B %e, %Y at %H:%M %Z", timezone) %]) or when you (on [% expiration_ts FILTER time("%B %e, %Y at %H:%M %Z", timezone) %]) or when you
log in successfully. log in successfully.
If you think someone tried to compromise your account, please inform
[%+ Param('maintainer') %] with the IP address reported above
and the exact time when you got this email.
template/en/default/global/messages.html.tmpl
View file @ a905395d
...@@ -571,7 +571,8 @@ ...@@ -571,7 +571,8 @@
[% ELSIF message_tag == "password_change_request" %] [% ELSIF message_tag == "password_change_request" %]
[% title = "Request to Change Password" %] [% title = "Request to Change Password" %]
A token for changing your password has been emailed to you. A token for changing your password has been emailed to
<em>[% login_name FILTER html %]</em>.
Follow the instructions in that email to change your password. Follow the instructions in that email to change your password.
[% ELSIF message_tag == "password_changed" %] [% ELSIF message_tag == "password_changed" %]
......
token.cgi
View file @ a905395d
...@@ -124,17 +124,18 @@ sub requestChangePassword { ...@@ -124,17 +124,18 @@ sub requestChangePassword {
or ThrowUserError("login_needed_for_password_change"); or ThrowUserError("login_needed_for_password_change");
check_email_syntax($login_name); check_email_syntax($login_name);
my $user = Bugzilla::User->check($login_name); my $user = new Bugzilla::User({ name => $login_name });
# Make sure the user account is active. # Make sure the user account is active.
if (!$user->is_enabled) { if ($user && !$user->is_enabled) {
ThrowUserError('account_disabled', ThrowUserError('account_disabled',
{disabled_reason => get_text('account_disabled', {account => $login_name})}); {disabled_reason => get_text('account_disabled', {account => $login_name})});
} }
Bugzilla::Token::IssuePasswordToken($user); Bugzilla::Token::IssuePasswordToken($user) if $user;
$vars->{'message'} = "password_change_request"; $vars->{'message'} = "password_change_request";
$vars->{'login_name'} = $login_name;
print $cgi->header(); print $cgi->header();
$template->process("global/message.html.tmpl", $vars) $template->process("global/message.html.tmpl", $vars)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment