Account enumeration vulnerability about django-password-reset HOT 1 OPEN

Work-around is as follows; put the overriding logic into your app's view.py file:

from django.core.urlresolvers import reverse
from django.core import signing
from password_reset.views import Recover

class RecoverView(Recover):
    def form_invalid(self, form):
        # We want to make believe that an invalid user/email is actually valid
        user = form.data['username_or_email']
        self.mail_signature = signing.dumps(user, salt=self.url_salt)
        return super(Recover, self).form_valid(form)

    def form_valid(self, form):
        # Overridden so as to not allow for enumeration of email via username
        self.user = form.cleaned_data['user']
        username_or_email = form.data['username_or_email']
        self.send_notification()
        self.mail_signature = signing.dumps(username_or_email,
                                            salt=self.url_salt)
        return super(Recover, self).form_valid(form)

You will also need to override the URL:

url(r'^recover/$', RecoverView.as_view(), name='password_reset_recover'),

_Explantation:_
Both, form_valid and form_invalid have to be overridden, because there is a second enumeration vulnerability in the form_valid function, where upon successful entry of a username that exists in the system will display a message stating that an email was sent to the the entered username's email address. By displaying the email address here, anyone can find a valid user and their email address by attempting password resets with usernames.

The changes made will make it so that the value entered on the reset form is the same value that generates the end URL and is the same value that gets displayed on the (success) results page, and this is what will get displayed whether the username or email is valid or not.

If you would like a pull request with these changes, just say the word.

from django-password-reset.