id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
14612	Password reset page leaks user count	Paul McMillan	nobody	"`django.contrib.auth.views.password_reset_confirm()` leaks information related to the number of registered users in the system.

To reproduce, enable admin, add a user, and import the urlconf from `contrib.auth.urls`. Visit the reset url with a request like this:
{{{
    http://localhost:8000/reset/1-2-3/
}}}
Repeatedly increment the first value (starting at 1 in this example). When the value is equal to the pk of a valid user, the page returns a 200 with an explanation that your reset url was invalid. When you reach a user pk that has not yet been assigned, you get a 404.

While the user count is not incredibly vital to security, most admins would prefer not to leak information in this fashion."		closed	contrib.auth	1.2		fixed			Accepted	0	0	0	0	0	0