aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2013-06-06 22:46:30 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2013-06-06 22:46:30 +0200
commita905395d7fd7dce12a8f51b68aaeede0959480b6 (patch)
tree689eaf2d1f1b10c62c70d815fd1baf51496818d0
parentRemove tabs (diff)
downloadbugzilla-a905395d7fd7dce12a8f51b68aaeede0959480b6.tar.gz
bugzilla-a905395d7fd7dce12a8f51b68aaeede0959480b6.tar.bz2
bugzilla-a905395d7fd7dce12a8f51b68aaeede0959480b6.zip
Bug 878035: Do not disclose whether a user account exists or not when a user clicks "forgot password"
r=dkl a=LpSolit
-rw-r--r--Bugzilla/Token.pm4
-rw-r--r--template/en/default/account/password/forgotten-password.txt.tmpl8
-rw-r--r--template/en/default/global/messages.html.tmpl3
-rwxr-xr-xtoken.cgi7
4 files changed, 16 insertions, 6 deletions
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 183c11f96..d4224e33b 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -122,13 +122,15 @@ sub IssuePasswordToken {
ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon;
- my ($token, $token_ts) = _create_token($user->id, 'password', remote_ip());
+ my $ip_addr = remote_ip();
+ my ($token, $token_ts) = _create_token($user->id, 'password', $ip_addr);
# Mail the user the token along with instructions for using it.
my $template = Bugzilla->template_inner($user->setting('lang'));
my $vars = {};
$vars->{'token'} = $token;
+ $vars->{'ip_addr'} = $ip_addr;
$vars->{'emailaddress'} = $user->email;
$vars->{'expiration_ts'} = ctime($token_ts + MAX_TOKEN_AGE * 86400);
# The user is not logged in (else he wouldn't request a new password).
diff --git a/template/en/default/account/password/forgotten-password.txt.tmpl b/template/en/default/account/password/forgotten-password.txt.tmpl
index 0c135a9ed..de2e79596 100644
--- a/template/en/default/account/password/forgotten-password.txt.tmpl
+++ b/template/en/default/account/password/forgotten-password.txt.tmpl
@@ -12,7 +12,9 @@ Subject: [% terms.Bugzilla %] Change Password Request
X-Bugzilla-Type: admin
You have (or someone impersonating you has) requested to change your
-[%+ terms.Bugzilla %] password. To complete the change, visit the following link:
+[%+ terms.Bugzilla %] password. The request originated from [% ip_addr %].
+
+To complete the change, visit the following link:
[%+ urlbase %]token.cgi?t=[% token FILTER uri %]&a=cfmpw
@@ -24,3 +26,7 @@ this request, visit the following link:
If you do nothing, the request will lapse after [% constants.MAX_TOKEN_AGE %] days
(on [% expiration_ts FILTER time("%B %e, %Y at %H:%M %Z", timezone) %]) or when you
log in successfully.
+
+If you think someone tried to compromise your account, please inform
+[%+ Param('maintainer') %] with the IP address reported above
+and the exact time when you got this email.
diff --git a/template/en/default/global/messages.html.tmpl b/template/en/default/global/messages.html.tmpl
index 95b74f1df..885198668 100644
--- a/template/en/default/global/messages.html.tmpl
+++ b/template/en/default/global/messages.html.tmpl
@@ -571,7 +571,8 @@
[% ELSIF message_tag == "password_change_request" %]
[% title = "Request to Change Password" %]
- A token for changing your password has been emailed to you.
+ A token for changing your password has been emailed to
+ <em>[% login_name FILTER html %]</em>.
Follow the instructions in that email to change your password.
[% ELSIF message_tag == "password_changed" %]
diff --git a/token.cgi b/token.cgi
index c1630ec91..030d264af 100755
--- a/token.cgi
+++ b/token.cgi
@@ -124,17 +124,18 @@ sub requestChangePassword {
or ThrowUserError("login_needed_for_password_change");
check_email_syntax($login_name);
- my $user = Bugzilla::User->check($login_name);
+ my $user = new Bugzilla::User({ name => $login_name });
# Make sure the user account is active.
- if (!$user->is_enabled) {
+ if ($user && !$user->is_enabled) {
ThrowUserError('account_disabled',
{disabled_reason => get_text('account_disabled', {account => $login_name})});
}
- Bugzilla::Token::IssuePasswordToken($user);
+ Bugzilla::Token::IssuePasswordToken($user) if $user;
$vars->{'message'} = "password_change_request";
+ $vars->{'login_name'} = $login_name;
print $cgi->header();
$template->process("global/message.html.tmpl", $vars)