From fca56e845065da91e13b6511cc8cf7b70ad1272e Mon Sep 17 00:00:00 2001 From: Luke Plant Date: Thu, 4 Nov 2010 12:39:27 +0000 Subject: [PATCH] [1.2.X] Fixed #14612 - Password reset page leaks valid user ids publicly. Thanks to PaulM for the report. Backport of [14456] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@14458 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/contrib/auth/tests/views.py | 6 ++++++ django/contrib/auth/views.py | 8 ++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/django/contrib/auth/tests/views.py b/django/contrib/auth/tests/views.py index 808de1052e..22fdbd6eaf 100644 --- a/django/contrib/auth/tests/views.py +++ b/django/contrib/auth/tests/views.py @@ -82,6 +82,12 @@ class PasswordResetTest(AuthViewsTestCase): self.assertEquals(response.status_code, 200) self.assert_("The password reset link was invalid" in response.content) + def test_confirm_invalid_user(self): + # Ensure that we get a 200 response for a non-existant user, not a 404 + response = self.client.get('/reset/123456-1-1/') + self.assertEquals(response.status_code, 200) + self.assert_("The password reset link was invalid" in response.content) + def test_confirm_invalid_post(self): # Same as test_confirm_invalid, but trying # to do a POST instead. diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py index 197799eb9e..6f75873fe0 100644 --- a/django/contrib/auth/views.py +++ b/django/contrib/auth/views.py @@ -142,13 +142,13 @@ def password_reset_confirm(request, uidb36=None, token=None, template_name='regi post_reset_redirect = reverse('django.contrib.auth.views.password_reset_complete') try: uid_int = base36_to_int(uidb36) - except ValueError: - raise Http404 + user = User.objects.get(id=uid_int) + except (ValueError, User.DoesNotExist): + user = None - user = get_object_or_404(User, id=uid_int) context_instance = RequestContext(request) - if token_generator.check_token(user, token): + if user is not None and token_generator.check_token(user, token): context_instance['validlink'] = True if request.method == 'POST': form = set_password_form(user, request.POST)