#19758: Password reset form should not leak information ------------------------------+-------------------- Reporter: anonymous | Owner: nobody Type: Bug | Status: new Component: contrib.auth | Version: master Severity: Normal | Keywords: Triage Stage: Unreviewed | Has patch: 0 Easy pickings: 1 | UI/UX: 0 ------------------------------+-------------------- The provided password reset form leaks information about enrolled users by providing information as to whether an email is enrolled. This is obviously untenable for any site with even moderate confidentiality requirements.
Correct behavior is to display the same result regardless of whether an email is found in the database. -- Ticket URL: <https://code.djangoproject.com/ticket/19758> Django <https://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-updates+unsubscr...@googlegroups.com. To post to this group, send email to django-updates@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.