Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent password reset exposing account presence #5431

Merged
merged 1 commit into from
Jun 22, 2020
Merged

Prevent password reset exposing account presence #5431

merged 1 commit into from
Jun 22, 2020

Conversation

markstuart
Copy link
Contributor

@markstuart markstuart commented Jun 10, 2020
edited
Loading

This work was done in CKAN 2.7.7 by @smotornyuk
just porting to other releases here.

Proposed fixes:

The password reset behaviour currently behaves differently when there is no account found matching the username or email address entered in the form. This can give a malicious agent information about which accounts exist in the system and which don't.

This work makes the response to the user the same for all cases.

Features:

  • includes tests covering changes
  • includes updated documentation
  • includes user-visible changes
  • includes API changes
  • includes bugfix for possible backport

Please [X] all the boxes above that apply

@markstuart
Copy link
Contributor Author

@amercader we discussed this via email in late May, just got back to it now sorry. I also have a branch with the same commit targeting dev-v2.8 if you want me to raise a PR for that too?

@markstuart
Prevent password reset exposing account presence
b36f265 
This work was done in CKAN 2.7.7 by smotornyuk,
just porting to other releases here.
@smotornyuk
Copy link
Member

I'm merging this PR - it will be backported as a part of usual patch-release process, so there is no need in creating PR into 2.8

@smotornyuk smotornyuk merged commit ab396e4 into ckan:master Jun 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@smotornyuk smotornyuk

Labels
zBackport 2.8.5
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@markstuart @smotornyuk