Re: [Django] #19758: Password reset form should not leak information

[Django]

#19758: Password reset form should not leak information
--+
 Reporter:  anonymous |Owner:  zerok
 Type:  Bug   |   Status:  closed
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:  fixed
 Keywords:  sprint2013| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  1 |UI/UX:  0
--+

Comment (by Claude Paroz ):

 In [changeset:"0c850e28858016b5890ae83a6ec6880614b306a2"]:
 {{{
 #!CommitTicketReference repository=""
 revision="0c850e28858016b5890ae83a6ec6880614b306a2"
 [1.6.x] Fixed #21291 -- Ensured inactive users cannot reset their
 passwords

 Thanks kz26 for the report and the suggested fix. Refs #19758.

 Backport of 5f5259036 from master.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.ce700d5e92f413f3684640622c95bd98%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19758: Password reset form should not leak information

[Django]

#19758: Password reset form should not leak information
--+
 Reporter:  anonymous |Owner:  zerok
 Type:  Bug   |   Status:  closed
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:  fixed
 Keywords:  sprint2013| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  1 |UI/UX:  0
--+

Comment (by Claude Paroz ):

 In [changeset:"5f52590368063fc8284e23be492d83ba751f66bf"]:
 {{{
 #!CommitTicketReference repository=""
 revision="5f52590368063fc8284e23be492d83ba751f66bf"
 Fixed #21291 -- Ensured inactive users cannot reset their passwords

 Thanks kz26 for the report and the suggested fix. Refs #19758.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/067.12954ba73e0415fd6523b436cbbd0560%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19758: Password reset form should not leak information

[Django]

#19758: Password reset form should not leak information
--+
 Reporter:  anonymous |Owner:  zerok
 Type:  Bug   |   Status:  closed
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:  fixed
 Keywords:  sprint2013| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  1 |UI/UX:  0
--+

Comment (by carljm):

 (Aymeric is correct, I didn't intend to suggest a setting, just that we
 could document the subclassing approach.)

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19758: Password reset form should not leak information

[Django]

#19758: Password reset form should not leak information
--+
 Reporter:  anonymous |Owner:  zerok
 Type:  Bug   |   Status:  closed
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:  fixed
 Keywords:  sprint2013| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  1 |UI/UX:  0
--+
Changes (by Aymeric Augustin ):

 * status:  assigned => closed
 * resolution:   => fixed


Comment:

 In [changeset:"2f4a4703e1931fadf5ed81387b26cf84caf5bef9"]:
 {{{
 #!CommitTicketReference repository=""
 revision="2f4a4703e1931fadf5ed81387b26cf84caf5bef9"
 Fixed #19758 -- Avoided leaking email existence through the password reset
 form.
 }}}

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19758: Password reset form should not leak information

[Django]

#19758: Password reset form should not leak information
--+
 Reporter:  anonymous |Owner:  zerok
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:  sprint2013| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  1 |UI/UX:  0
--+

Comment (by zerok):

 https://github.com/django/django/pull/754 contains a new version of the
 pull request. It is no based on the one by  Kenn Knowles and goes a bit
 further by also updating the documentation and templates.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19758: Password reset form should not leak information

[Django]

#19758: Password reset form should not leak information
--+
 Reporter:  anonymous |Owner:  zerok
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:  sprint2013| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  1 |UI/UX:  0
--+

Comment (by aaugustin):

 We don't need a setting for this. Django should follow the best practice
 of not leaking information.

 Developers can adjust this (depending on their requirements) through
 subclassing. This could be documented.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19758: Password reset form should not leak information

[Django]

#19758: Password reset form should not leak information
--+
 Reporter:  anonymous |Owner:  zerok
 Type:  Bug   |   Status:  assigned
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:  sprint2013| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  1 |UI/UX:  0
--+
Changes (by zerok):

 * owner:  nobody => zerok
 * status:  new => assigned
 * keywords:   => sprint2013


Comment:

 @carljm so you basically want to have the default behaviour to be the
 "secure" approach and perhaps offer a setting (either globally or on a
 per-form level) to switch to a version that exposes the existence of a
 user's email?

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19758: Password reset form should not leak information

[Django]

#19758: Password reset form should not leak information
--+
 Reporter:  anonymous |Owner:  nobody
 Type:  Bug   |   Status:  new
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Accepted
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  1 |UI/UX:  0
--+
Changes (by carljm):

 * stage:  Unreviewed => Accepted


Comment:

 I know this has been debated in the past, but I agree that the default
 behavior should be safe with respect to both security and confidentiality
 requirements. If some people want a "friendlier" password reset and don't
 care about these requirements, we can document an easy path to providing
 different responses depending whether the email address is enrolled.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19758: Password reset form should not leak information

[Django]

#19758: Password reset form should not leak information
--+--
 Reporter:  anonymous |Owner:  nobody
 Type:  Bug   |   Status:  new
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Unreviewed
Has patch:  1 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  1 |UI/UX:  0
--+--
Changes (by fhahn):

 * has_patch:  0 => 1


-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Django] #19758: Password reset form should not leak information

[Django]

#19758: Password reset form should not leak information
--+--
 Reporter:  anonymous |Owner:  nobody
 Type:  Bug   |   Status:  new
Component:  contrib.auth  |  Version:  master
 Severity:  Normal|   Resolution:
 Keywords:| Triage Stage:  Unreviewed
Has patch:  0 |  Needs documentation:  0
  Needs tests:  0 |  Patch needs improvement:  0
Easy pickings:  1 |UI/UX:  0
--+--
Changes (by anonymous):

 * needs_better_patch:   => 0
 * needs_tests:   => 0
 * needs_docs:   => 0


Comment:

 I think this is fixed in a pull request now:
 https://github.com/django/django/pull/703

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Django] #19758: Password reset form should not leak information

[Django]

#19758: Password reset form should not leak information
--+
 Reporter:  anonymous |  Owner:  nobody
 Type:  Bug   | Status:  new
Component:  contrib.auth  |Version:  master
 Severity:  Normal|   Keywords:
 Triage Stage:  Unreviewed|  Has patch:  0
Easy pickings:  1 |  UI/UX:  0
--+
 The provided password reset form leaks information about enrolled users by
 providing information as to whether an email is enrolled. This is
 obviously untenable for any site with even moderate confidentiality
 requirements.

 Correct behavior is to display the same result regardless of whether an
 email is found in the database.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.