#19758: Password reset form should not leak information
------------------------------+--------------------
Reporter: anonymous | Owner: nobody
Type: Bug | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 1 | UI/UX: 0
------------------------------+--------------------
The provided password reset form leaks information about enrolled users by
providing information as to whether an email is enrolled. This is
obviously untenable for any site with even moderate confidentiality
requirements.
Correct behavior is to display the same result regardless of whether an
email is found in the database.
--
Ticket URL: <https://code.djangoproject.com/ticket/19758>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
