#26615: Changing user's email could invalidate password reset tokens
------------------------------------------------+------------------------
Reporter: Alex | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
Sequence:
* Have account with email address [email protected]
* Password reset request for that email (unused)
* [email protected] account changes their email address
* Password reset email is used
The password reset email's token should be rejected at that point, but in
fact it is allowed.
The fix is to add the user's email address into
[https://github.com/django/django/blob/104727030c52a6cd5e85fdcc64dd6cfc906fc241/django/contrib/auth/tokens.py#L66-L72
PasswordResetTokenGenerator._make_hash_value()]
Nothing forces a user to even have an email as per `AbstractBaseUser`.
Perhaps the token generation method could be factored out onto the model,
ala `get_session_auth_hash()`.
--
Ticket URL: <https://code.djangoproject.com/ticket/26615>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/047.a74f1640837d578dfae23112e2928411%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
