User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Build ID: 20150320201757 Steps to reproduce: On logging in to Bugzilla at https://bugzilla.mozilla.org/index.cgi?GoAheadAndLogIn=1 for the first time in years. . . . I received this message: Your password is currently less than 8 characters long, which is the new minimum length required for passwords. You must request a new password in order to log in again. Actual results: Okay, fair, so I clicked on “request a new password,” which gave me: It looks like you didn't come from the right page. One reason could be that you entered the URL in the address bar of your web browser directly, which should be safe. Another reason could be that you clicked on a URL which redirected you here without your consent. Are you sure you want to commit these changes? Expected results: Bugzilla should trust bugzilla.
Bug introduced with fix to previous bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1009013
Not reproducible upstream. But bmo backported this feature, so they probably missed some other related fixes.
Assignee: user-accounts → nobody
Component: User Accounts → General
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Version: 5.0 → Production
actually bmo isn't carrying the changes from bug 1009013, but we have backported csrf token fixes which is likely the cause of this issue. backporting bug 1009013 should fix this as it adds the missing token to the link in the error.
Assignee: nobody → glob
this was a trivial straight backport. To ssh://email@example.com/webtools/bmo/bugzilla.git 48c23b1..d4a53a6 master -> master
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Summary: Minimum password length handler not trusted by password change → backport bug 1009013 to bmo (Require a user to change their password if they log in and their current password does not meet the password complexity rules)
You need to log in before you can comment on or make changes to this bug.