Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.2.X] Fixed #14612 - Password reset page leaks valid user ids publi…

…cly.

Thanks to PaulM for the report.

Backport of [14456] from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@14458 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit fca56e845065da91e13b6511cc8cf7b70ad1272e 1 parent 74b566e
Luke Plant authored November 04, 2010
6  django/contrib/auth/tests/views.py
@@ -82,6 +82,12 @@ def test_confirm_invalid(self):
82 82
         self.assertEquals(response.status_code, 200)
83 83
         self.assert_("The password reset link was invalid" in response.content)
84 84
 
  85
+    def test_confirm_invalid_user(self):
  86
+        # Ensure that we get a 200 response for a non-existant user, not a 404
  87
+        response = self.client.get('/reset/123456-1-1/')
  88
+        self.assertEquals(response.status_code, 200)
  89
+        self.assert_("The password reset link was invalid" in response.content)
  90
+
85 91
     def test_confirm_invalid_post(self):
86 92
         # Same as test_confirm_invalid, but trying
87 93
         # to do a POST instead.
8  django/contrib/auth/views.py
@@ -142,13 +142,13 @@ def password_reset_confirm(request, uidb36=None, token=None, template_name='regi
142 142
         post_reset_redirect = reverse('django.contrib.auth.views.password_reset_complete')
143 143
     try:
144 144
         uid_int = base36_to_int(uidb36)
145  
-    except ValueError:
146  
-        raise Http404
  145
+        user = User.objects.get(id=uid_int)
  146
+    except (ValueError, User.DoesNotExist):
  147
+        user = None
147 148
 
148  
-    user = get_object_or_404(User, id=uid_int)
149 149
     context_instance = RequestContext(request)
150 150
 
151  
-    if token_generator.check_token(user, token):
  151
+    if user is not None and token_generator.check_token(user, token):
152 152
         context_instance['validlink'] = True
153 153
         if request.method == 'POST':
154 154
             form = set_password_form(user, request.POST)

0 notes on commit fca56e8

Please sign in to comment.
Something went wrong with that request. Please try again.