#7723: DoS possible with django.contrib.auth.views.password_reset ----------------------------+----------------------------------------------- Reporter: mafr | Owner: Status: new | Milestone: Component: Authentication | Version: SVN Keywords: | Stage: Unreviewed Has_patch: 0 | ----------------------------+----------------------------------------------- The password_reset view creates a new password overwriting the existing one. Any user who knows your email address can trigger this process as often as he likes. The effect is that you can't log into your account until you changed your password.
I think the existing password should remain valid even if a reset email has been triggered. The mail should contain a token that can be used to change the password; even if multiple password reset mails are sent, any token should be usable for password reset in a certain time window. -- Ticket URL: <http://code.djangoproject.com/ticket/7723> Django Code <http://code.djangoproject.com/> The web framework for perfectionists with deadlines --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-updates?hl=en -~----------~----~----~----~------~----~------~--~---
