Closed Bug 878035 Opened 12 years ago Closed 12 years ago

Do not disclose whether a user account exists or not when a user clicks "forgot password"

Categories

(Bugzilla :: User Accounts, enhancement)

Product:
Bugzilla
Component:
User Accounts
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 5.0

People

(Reporter: LpSolit, Assigned: LpSolit)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

patch, v1
4.30 KB, patch
dkl
: review+
Details | Diff | Splinter Review
If you ask to change your forgotten password and you type an email address which doesn't exist, then the message should be the same as the one you get if the user account exists. See bug 670887 for some of the rationale.
Bonus point: the email sent to change the password should also include the IP address of the user asking for a new password. This way, this would give us a chance to track a potential attacker if many users receive the "change password" email with the same IP address in it.
Attached patch patch, v1Splinter Review
Assignee: user-accounts → LpSolit
Status: NEW → ASSIGNED
Attachment #756536 - Flags: review?(dkl)
Comment on attachment 756536 [details] [diff] [review] patch, v1 Review of attachment 756536 [details] [diff] [review]: ----------------------------------------------------------------- Looks good and worked as expected. Nit can be fixed on checkin. r=dkl ::: template/en/default/account/password/forgotten-password.txt.tmpl @@ +12,4 @@ > X-Bugzilla-Type: admin > > You have (or someone impersonating you has) requested to change your > +[%+ terms.Bugzilla %] password. The request comes from [% ip_addr %]. nit: s/comes/originated/
Attachment #756536 - Flags: review?(dkl) → review+
Flags: approval+
Target Milestone: --- → Bugzilla 5.0
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified token.cgi modified Bugzilla/Token.pm modified template/en/default/account/password/forgotten-password.txt.tmpl modified template/en/default/global/messages.html.tmpl Committed revision 8634.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: