mirror of
https://github.com/django/django.git
synced 2024-12-01 15:42:04 +01:00
Fixed #14612 - Password reset page leaks valid user ids publicly.
Thanks to PaulM for the report. git-svn-id: http://code.djangoproject.com/svn/django/trunk@14456 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
7d4a3991f3
commit
6feef0c13e
@ -100,6 +100,12 @@ class PasswordResetTest(AuthViewsTestCase):
|
||||
self.assertEquals(response.status_code, 200)
|
||||
self.assert_("The password reset link was invalid" in response.content)
|
||||
|
||||
def test_confirm_invalid_user(self):
|
||||
# Ensure that we get a 200 response for a non-existant user, not a 404
|
||||
response = self.client.get('/reset/123456-1-1/')
|
||||
self.assertEquals(response.status_code, 200)
|
||||
self.assert_("The password reset link was invalid" in response.content)
|
||||
|
||||
def test_confirm_invalid_post(self):
|
||||
# Same as test_confirm_invalid, but trying
|
||||
# to do a POST instead.
|
||||
|
@ -143,13 +143,13 @@ def password_reset_confirm(request, uidb36=None, token=None, template_name='regi
|
||||
post_reset_redirect = reverse('django.contrib.auth.views.password_reset_complete')
|
||||
try:
|
||||
uid_int = base36_to_int(uidb36)
|
||||
except ValueError:
|
||||
raise Http404
|
||||
user = User.objects.get(id=uid_int)
|
||||
except (ValueError, User.DoesNotExist):
|
||||
user = None
|
||||
|
||||
user = get_object_or_404(User, id=uid_int)
|
||||
context_instance = RequestContext(request)
|
||||
|
||||
if token_generator.check_token(user, token):
|
||||
if user is not None and token_generator.check_token(user, token):
|
||||
context_instance['validlink'] = True
|
||||
if request.method == 'POST':
|
||||
form = set_password_form(user, request.POST)
|
||||
|
Loading…
Reference in New Issue
Block a user