diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2013-06-06 22:46:30 +0200 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-06-06 22:46:30 +0200 |
commit | a905395d7fd7dce12a8f51b68aaeede0959480b6 (patch) | |
tree | 689eaf2d1f1b10c62c70d815fd1baf51496818d0 | |
parent | bb45718c677f941ef0ec214cf87ce6bb85f0fa4e (diff) | |
download | bugs-a905395d7fd7dce12a8f51b68aaeede0959480b6.tar bugs-a905395d7fd7dce12a8f51b68aaeede0959480b6.tar.gz bugs-a905395d7fd7dce12a8f51b68aaeede0959480b6.tar.bz2 bugs-a905395d7fd7dce12a8f51b68aaeede0959480b6.tar.xz bugs-a905395d7fd7dce12a8f51b68aaeede0959480b6.zip |
Bug 878035: Do not disclose whether a user account exists or not when a user clicks "forgot password"
r=dkl a=LpSolit
-rw-r--r-- | Bugzilla/Token.pm | 4 | ||||
-rw-r--r-- | template/en/default/account/password/forgotten-password.txt.tmpl | 8 | ||||
-rw-r--r-- | template/en/default/global/messages.html.tmpl | 3 | ||||
-rwxr-xr-x | token.cgi | 7 |
4 files changed, 16 insertions, 6 deletions
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm index 183c11f96..d4224e33b 100644 --- a/Bugzilla/Token.pm +++ b/Bugzilla/Token.pm @@ -122,13 +122,15 @@ sub IssuePasswordToken { ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon; - my ($token, $token_ts) = _create_token($user->id, 'password', remote_ip()); + my $ip_addr = remote_ip(); + my ($token, $token_ts) = _create_token($user->id, 'password', $ip_addr); # Mail the user the token along with instructions for using it. my $template = Bugzilla->template_inner($user->setting('lang')); my $vars = {}; $vars->{'token'} = $token; + $vars->{'ip_addr'} = $ip_addr; $vars->{'emailaddress'} = $user->email; $vars->{'expiration_ts'} = ctime($token_ts + MAX_TOKEN_AGE * 86400); # The user is not logged in (else he wouldn't request a new password). diff --git a/template/en/default/account/password/forgotten-password.txt.tmpl b/template/en/default/account/password/forgotten-password.txt.tmpl index 0c135a9ed..de2e79596 100644 --- a/template/en/default/account/password/forgotten-password.txt.tmpl +++ b/template/en/default/account/password/forgotten-password.txt.tmpl @@ -12,7 +12,9 @@ Subject: [% terms.Bugzilla %] Change Password Request X-Bugzilla-Type: admin You have (or someone impersonating you has) requested to change your -[%+ terms.Bugzilla %] password. To complete the change, visit the following link: +[%+ terms.Bugzilla %] password. The request originated from [% ip_addr %]. + +To complete the change, visit the following link: [%+ urlbase %]token.cgi?t=[% token FILTER uri %]&a=cfmpw @@ -24,3 +26,7 @@ this request, visit the following link: If you do nothing, the request will lapse after [% constants.MAX_TOKEN_AGE %] days (on [% expiration_ts FILTER time("%B %e, %Y at %H:%M %Z", timezone) %]) or when you log in successfully. + +If you think someone tried to compromise your account, please inform +[%+ Param('maintainer') %] with the IP address reported above +and the exact time when you got this email. diff --git a/template/en/default/global/messages.html.tmpl b/template/en/default/global/messages.html.tmpl index 95b74f1df..885198668 100644 --- a/template/en/default/global/messages.html.tmpl +++ b/template/en/default/global/messages.html.tmpl @@ -571,7 +571,8 @@ [% ELSIF message_tag == "password_change_request" %] [% title = "Request to Change Password" %] - A token for changing your password has been emailed to you. + A token for changing your password has been emailed to + <em>[% login_name FILTER html %]</em>. Follow the instructions in that email to change your password. [% ELSIF message_tag == "password_changed" %] @@ -124,17 +124,18 @@ sub requestChangePassword { or ThrowUserError("login_needed_for_password_change"); check_email_syntax($login_name); - my $user = Bugzilla::User->check($login_name); + my $user = new Bugzilla::User({ name => $login_name }); # Make sure the user account is active. - if (!$user->is_enabled) { + if ($user && !$user->is_enabled) { ThrowUserError('account_disabled', {disabled_reason => get_text('account_disabled', {account => $login_name})}); } - Bugzilla::Token::IssuePasswordToken($user); + Bugzilla::Token::IssuePasswordToken($user) if $user; $vars->{'message'} = "password_change_request"; + $vars->{'login_name'} = $login_name; print $cgi->header(); $template->process("global/message.html.tmpl", $vars) |