Opened 2 years ago

Last modified 2 years ago

#26615 assigned Cleanup/optimization

Changing user's email could invalidate password reset tokens

Reported by: Alex Gaynor Owned by: Ross Curzon-Butler
Component: contrib.auth Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

Sequence:

  • Have account with email address foo@…
  • Password reset request for that email (unused)
  • foo@… account changes their email address
  • Password reset email is used

The password reset email's token should be rejected at that point, but in fact it is allowed.

The fix is to add the user's email address into PasswordResetTokenGenerator._make_hash_value()

Nothing forces a user to even have an email as per AbstractBaseUser. Perhaps the token generation method could be factored out onto the model, ala get_session_auth_hash().

Change History (9)

comment:1 Changed 2 years ago by Silas Barta

Has patch: set

comment:2 Changed 2 years ago by Tim Graham

Patch needs improvement: set

comment:3 Changed 2 years ago by Silas Barta

Patch needs improvement: unset

comment:4 Changed 2 years ago by Silas Barta

comment:5 Changed 2 years ago by Berker Peksag

Needs documentation: set
Patch needs improvement: set

comment:6 Changed 2 years ago by Ross Curzon-Butler

Owner: changed from nobody to Ross Curzon-Butler
Status: newassigned

comment:7 Changed 2 years ago by Ross Curzon-Butler

New pull request made at https://github.com/django/django/pull/6868 containing requested documentation

comment:8 Changed 2 years ago by Tim Graham

Needs documentation: unset
Patch needs improvement: unset

comment:9 Changed 2 years ago by Tim Graham

Patch needs improvement: set

Comments for improvement are on the PR.

Note: See TracTickets for help on using tickets.
Back to Top