DoS possible with django.contrib.auth.views.password_reset
|Reported by:||mafr||Owned by:||Luke Plant|
|Cc:||Triage Stage:||Design decision needed|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
The password_reset view creates a new password overwriting the existing one. Any user who knows your email address can trigger this process as often as he likes. The effect is that you can't log into your account until you changed your password.
I think the existing password should remain valid even if a reset email has been triggered. The mail should contain a token that can be used to change the password; even if multiple password reset mails are sent, any token should be usable for password reset in a certain time window.
Change History (8)
comment:1 Changed 9 years ago by
|Triage Stage:||Unreviewed → Design decision needed|