[3.0.x] Fixed #31505 -- Doc'd possible email addresses enumeration in…

… PasswordResetView. Backport of ca769c8 from master
django · Apr 27, 2020 · 04bc357 · 04bc357
1 parent 657992c
commit 04bc357
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
@@ -1248,6 +1248,16 @@ implementation details see :ref:`using-the-views`.
     :class:`~django.contrib.auth.forms.PasswordResetForm` and use the
     ``form_class`` attribute.
 
+    .. note::
+
+        Be aware that sending an email costs extra time, hence you may be
+        vulnerable to an email address enumeration timing attack due to a
+        difference between the duration of a reset request for an existing
+        email address and the duration of a reset request for a nonexistent
+        email address. To reduce the overhead, you can use a 3rd party package
+        that allows to send emails asynchronously, e.g. `django-mailer
+        <https://pypi.org/project/django-mailer/>`_.
+
     Users flagged with an unusable password (see
     :meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't
     allowed to request a password reset to prevent misuse when using an