Commit 6feef0c1 authored by Luke Plant's avatar Luke Plant
Browse files

Fixed #14612 - Password reset page leaks valid user ids publicly. 

Thanks to PaulM for the report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14456 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 7d4a3991

django/contrib/auth/tests/views.py

+6 −0
Original line number Diff line number Diff line
@@ -100,6 +100,12 @@ class PasswordResetTest(AuthViewsTestCase): 
        self.assertEquals(response.status_code, 200)

        self.assert_("The password reset link was invalid" in response.content)



    def test_confirm_invalid_user(self):

        # Ensure that we get a 200 response for a non-existant user, not a 404

        response = self.client.get('/reset/123456-1-1/')

        self.assertEquals(response.status_code, 200)

        self.assert_("The password reset link was invalid" in response.content)



    def test_confirm_invalid_post(self):

        # Same as test_confirm_invalid, but trying

        # to do a POST instead.

django/contrib/auth/views.py

+4 −4
Original line number Diff line number Diff line
@@ -143,13 +143,13 @@ def password_reset_confirm(request, uidb36=None, token=None, template_name='regi 
        post_reset_redirect = reverse('django.contrib.auth.views.password_reset_complete')

    try:

        uid_int = base36_to_int(uidb36)

    except ValueError:

        raise Http404

        user = User.objects.get(id=uid_int)

    except (ValueError, User.DoesNotExist):

        user = None



    user = get_object_or_404(User, id=uid_int)

    context_instance = RequestContext(request)



    if token_generator.check_token(user, token):

    if user is not None and token_generator.check_token(user, token):

        context_instance['validlink'] = True

        if request.method == 'POST':

            form = set_password_form(user, request.POST)