Opened 8 years ago

Closed 8 years ago

#26161 closed Bug (invalid)

django.contrib.auth password reset email reveals the user id

Reported by: Ran Benita Owned by: nobody
Component: contrib.auth Version: 1.9
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


This was already asked in an (unanswered) django-users question, and the description there still holds, so I'll not repeat it:!searchin/django-users/user$20id$20password$20reset/django-users/6c8_Vfr8K1w/-TXJoVBM3poJ

I think most sites would prefer not to reveal how many users are registered or the growth rate of that value, and this is the only place that I know of where the user ID is exposed.

I suspect there is no way to fix the existing view/form in a backward-compatible way, because of custom templates and 3rd party packages which use this, like "djoser", but thought I'd raise the issue anyway.

Change History (1)

comment:1 by Sergei Maertens, 8 years ago

Resolution: invalid
Status: newclosed

If I understand the code correctly, the ID is required to associate the token/url with the specified user, since there's no other way to retrieve the user from the token - hashing is a one-way process.

Maybe USERNAME_FIELD could be used instead of the PK, but for that there's the possibility to specify a different token_generator, as per django.contrib.auth.views.password_reset:

def password_reset(request,

The associated password_reset_form can be overridden as well.

Note: See TracTickets for help on using tickets.
Back to Top