#27518: HTTP Referer leaks password reset link
-------------------------------------+-------------------------------------
Reporter: Romain Garrigues | Owner: Romain
Type: | Garrigues
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: 1.10
Severity: Normal | Resolution:
Keywords: password reset | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Florian Apolloner):
@Romain Garrigues: So what I imagine is the following:
* The user gets the link: ''/reset/Mq/asdga-yxflkjxc78121/''
* You store ''asdga-yxflkjxc78121'' in the session and redirect to
''/reset/Mq/set-password/'' (luckily our regex allows for this)
* if the token is ''set-password'' and the session has the proper value
we can reset the password
This allows us to:
* Do not alter the password for the user twice
* Keep the most compatibility with the existing system (same URL etc, no
changes needed unless you manually changed the regex)
* Not leak any information (only Mq which is the user id, which is
guessable anyways)
* We do not have to store any extra information in the session
Is that clear enough? If yes, do you want to try a patch against the class
based views in master?
--
Ticket URL: <https://code.djangoproject.com/ticket/27518#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/064.c7c8006ccfe2bd686aff4f91b7241d7f%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
