id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
35730	Enhance password reset security by signing 'uid' parameter instead of base64-encoding to prevent possible user count leakage	Remy		"When using Django’s default view for requesting a password reset, `PasswordResetView`, the `PasswordResetForm`’s save() method sends an email containing a `uid` parameter generated using `urlsafe_base64_encode(force_bytes(user.pk))`. 

This results in the user’s email inbox containing a password reset link that indirectly reveals the user’s primary key (`user.pk`), which exposes information about how many users exist on any Django site that uses this default view.

Surely, organizations that design their entities with non-enumerable public identifiers (such as by using a `UUIDField` for the primary key) would not be affected by this, however as the issue is also addressed by other means, such as a secondary public identifier, or simply a careful app design, I would still think that many Django site owners who prefer to keep this information private are likely unaware that it’s being exposed through this native mechanism.

To prevent the leakage of the `user.pk` value by default, I replaced the base64 encoding with the signing of the `user.pk` value (PR https://github.com/django/django/pull/18539)."	Cleanup/optimization	new	contrib.auth	5.1	Normal			Remy	Unreviewed	1	0	0	0	0	0