mirror of
https://github.com/django/django.git
synced 2025-10-24 06:06:09 +00:00
Fixed #27518 -- Prevented possibie password reset token leak via HTTP Referer header.
Thanks Florian Apolloner for contributing to this patch and Collin Anderson, Markus Holtermann, and Tim Graham for review.
This commit is contained in:
committed by
Tim Graham
parent
91023d79ec
commit
ede59ef6f3
@@ -116,6 +116,14 @@ Minor features
|
||||
:class:`~django.contrib.auth.views.PasswordResetConfirmView` allows
|
||||
automatically logging in a user after a successful password reset.
|
||||
|
||||
* To avoid the possibility of leaking a password reset token via the HTTP
|
||||
Referer header (for example, if the reset page includes a reference to CSS or
|
||||
JavaScript hosted on another domain), the
|
||||
:class:`~django.contrib.auth.views.PasswordResetConfirmView` (but not the
|
||||
deprecated ``password_reset_confirm()`` function-based view) stores the token
|
||||
in a session and redirects to itself to present the password change form to
|
||||
the user without the token in the URL.
|
||||
|
||||
* :func:`~django.contrib.auth.update_session_auth_hash` now rotates the session
|
||||
key to allow a password change to invalidate stolen session cookies.
|
||||
|
||||
|
Reference in New Issue
Block a user