Comments (1)
Work-around is as follows; put the overriding logic into your app's view.py
file:
from django.core.urlresolvers import reverse
from django.core import signing
from password_reset.views import Recover
class RecoverView(Recover):
def form_invalid(self, form):
# We want to make believe that an invalid user/email is actually valid
user = form.data['username_or_email']
self.mail_signature = signing.dumps(user, salt=self.url_salt)
return super(Recover, self).form_valid(form)
def form_valid(self, form):
# Overridden so as to not allow for enumeration of email via username
self.user = form.cleaned_data['user']
username_or_email = form.data['username_or_email']
self.send_notification()
self.mail_signature = signing.dumps(username_or_email,
salt=self.url_salt)
return super(Recover, self).form_valid(form)
You will also need to override the URL:
url(r'^recover/$', RecoverView.as_view(), name='password_reset_recover'),
_Explantation:_
Both, form_valid
and form_invalid
have to be overridden, because there is a second enumeration vulnerability in the form_valid
function, where upon successful entry of a username that exists in the system will display a message stating that an email was sent to the the entered username's email address. By displaying the email address here, anyone can find a valid user and their email address by attempting password resets with usernames.
The changes made will make it so that the value entered on the reset form is the same value that generates the end URL and is the same value that gets displayed on the (success) results page, and this is what will get displayed whether the username or email is valid or not.
If you would like a pull request with these changes, just say the word.
from django-password-reset.
Related Issues (20)
- reset links aren't invalidated after they are used HOT 2
- views.Reset.invalid AttributeError exception HOT 2
- Not working when use namespace
- Reset link doesnt show form HOT 1
- Nothing shows up on recover page. HOT 1
- NoReverseMatch
- Reset only by email
- password_reset_recover blank screen HOT 2
- Italian translation
- Token valid after password changed
- django.urls.exceptions.NoReverseMatch: Reverse for 'password_reset_reset' with arguments '('NQ:1dYOiG:BKXR_HhymHf7uYTnlDcPHioITOY',)' and keyword arguments '{}' not found. 0 pattern(s) tried: [] HOT 2
- How do i use a custom template for django-password-reset
- bug django2.x need use django.urls instead HOT 4
- Provide API for generating a reset url outside of the Form/View Code HOT 4
- Django2.1.2 can not found password_reset_reset HOT 1
- Explain the difference between this and django-registration
- URL exposes base64 encoded email address
- Plug in security feedback
- Django 4.0 Url Problem HOT 2
- Update the library for latest Django
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-password-reset.