Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password reset token are not invalidated [security] #2370

Closed
KrzysztofMadejski opened this issue Mar 30, 2015 · 3 comments
Closed

Password reset token are not invalidated [security] #2370

KrzysztofMadejski opened this issue Mar 30, 2015 · 3 comments
Assignees
@wardi

Comments

@KrzysztofMadejski
Copy link
Contributor

I can use generated token multiple times to reset password. It should be invalidated after first successful password change!

Concerns: CKAN 2.3
@wardi wardi self-assigned this Mar 31, 2015
@wardi
Copy link
Contributor

wardi commented Mar 31, 2015

@KrzysztofMadejski absolutely, you're right. Do you have time to submit a fix?

For security related issues like this one please send your future reports to security@ckan.org

@nateprewitt nateprewitt mentioned this issue Apr 2, 2015
Merged
@KrzysztofMadejski
Copy link
Contributor Author

sorryy, I will use it in the future!

I see it's already PRed.

amercader added a commit that referenced this issue May 11, 2015
@amercader
[#2370] add reset for reset_key on successful password change
b928ed8 
Adapted for this branch tests
@tino097
Copy link
Member

tino097 commented Sep 10, 2018

Looks like this was fixed, also its targeting old release. Closing

@tino097 tino097 closed this as completed Sep 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wardi wardi

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wardi @KrzysztofMadejski @tino097