Opened 4 years ago

Closed 4 years ago

#26161 closed Bug (invalid)

django.contrib.auth password reset email reveals the user id

Reported by: Ran Benita Owned by: nobody
Component: contrib.auth Version: 1.9
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

This was already asked in an (unanswered) django-users question, and the description there still holds, so I'll not repeat it:
https://groups.google.com/forum/#!searchin/django-users/user$20id$20password$20reset/django-users/6c8_Vfr8K1w/-TXJoVBM3poJ

I think most sites would prefer not to reveal how many users are registered or the growth rate of that value, and this is the only place that I know of where the user ID is exposed.

I suspect there is no way to fix the existing view/form in a backward-compatible way, because of custom templates and 3rd party packages which use this, like "djoser", but thought I'd raise the issue anyway.

Change History (1)

comment:1 Changed 4 years ago by Sergei Maertens

Resolution: invalid
Status: newclosed

If I understand the code correctly, the ID is required to associate the token/url with the specified user, since there's no other way to retrieve the user from the token - hashing is a one-way process.

Maybe USERNAME_FIELD could be used instead of the PK, but for that there's the possibility to specify a different token_generator, as per django.contrib.auth.views.password_reset:

def password_reset(request,
                   template_name='registration/password_reset_form.html',
                   email_template_name='registration/password_reset_email.html',
                   subject_template_name='registration/password_reset_subject.txt',
                   password_reset_form=PasswordResetForm,
                   token_generator=default_token_generator,
                   post_reset_redirect=None,
                   from_email=None,
                   extra_context=None,
                   html_email_template_name=None,
                   extra_email_context=None):
    ...

The associated password_reset_form can be overridden as well.

Note: See TracTickets for help on using tickets.
Back to Top