mirror of
https://github.com/django/django.git
synced 2024-12-23 01:25:58 +00:00
Fixed #31505 -- Doc'd possible email addresses enumeration in PasswordResetView.
This commit is contained in:
parent
71d9876e39
commit
ca769c8c13
@ -1238,6 +1238,16 @@ implementation details see :ref:`using-the-views`.
|
||||
:class:`~django.contrib.auth.forms.PasswordResetForm` and use the
|
||||
``form_class`` attribute.
|
||||
|
||||
.. note::
|
||||
|
||||
Be aware that sending an email costs extra time, hence you may be
|
||||
vulnerable to an email address enumeration timing attack due to a
|
||||
difference between the duration of a reset request for an existing
|
||||
email address and the duration of a reset request for a nonexistent
|
||||
email address. To reduce the overhead, you can use a 3rd party package
|
||||
that allows to send emails asynchronously, e.g. `django-mailer
|
||||
<https://pypi.org/project/django-mailer/>`_.
|
||||
|
||||
Users flagged with an unusable password (see
|
||||
:meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't
|
||||
allowed to request a password reset to prevent misuse when using an
|
||||
|
Loading…
Reference in New Issue
Block a user