Bug 878035: Do not disclose whether a user account exists or not when a user clicks...

r=dkl a=LpSolit

diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 183c11f96eda5d62467deabbde34cbe8517caef3..d4224e33b1f219afbaac9ba3a41bc1d21a15b564 100644 (file)
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -122,13 +122,15 @@ sub IssuePasswordToken {
 
     ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon;
 
-    my ($token, $token_ts) = _create_token($user->id, 'password', remote_ip());
+    my $ip_addr = remote_ip();
+    my ($token, $token_ts) = _create_token($user->id, 'password', $ip_addr);
 
     # Mail the user the token along with instructions for using it.
     my $template = Bugzilla->template_inner($user->setting('lang'));
     my $vars = {};
 
     $vars->{'token'} = $token;
+    $vars->{'ip_addr'} = $ip_addr;
     $vars->{'emailaddress'} = $user->email;
     $vars->{'expiration_ts'} = ctime($token_ts + MAX_TOKEN_AGE * 86400);
     # The user is not logged in (else he wouldn't request a new password).

diff --git a/template/en/default/account/password/forgotten-password.txt.tmpl b/template/en/default/account/password/forgotten-password.txt.tmpl
index 0c135a9ed90a6f1ca7cece6414e0006b7a582df3..de2e79596c97e70579d1ad9e93f7aaff58aff561 100644 (file)
--- a/template/en/default/account/password/forgotten-password.txt.tmpl
+++ b/template/en/default/account/password/forgotten-password.txt.tmpl
@@ -12,7 +12,9 @@ Subject:  [% terms.Bugzilla %] Change Password Request
 X-Bugzilla-Type: admin
 
 You have (or someone impersonating you has) requested to change your 
-[%+ terms.Bugzilla %] password. To complete the change, visit the following link:
+[%+ terms.Bugzilla %] password. The request originated from [% ip_addr %].
+
+To complete the change, visit the following link:
 
 [%+ urlbase %]token.cgi?t=[% token FILTER uri %]&a=cfmpw
 
@@ -24,3 +26,7 @@ this request, visit the following link:
 If you do nothing, the request will lapse after [% constants.MAX_TOKEN_AGE %] days
 (on [% expiration_ts FILTER time("%B %e, %Y at %H:%M %Z", timezone) %]) or when you
 log in successfully.
+
+If you think someone tried to compromise your account, please inform
+[%+ Param('maintainer') %] with the IP address reported above
+and the exact time when you got this email.

diff --git a/template/en/default/global/messages.html.tmpl b/template/en/default/global/messages.html.tmpl
index 95b74f1dfed7f7be3440c533cb8cf14a9703e949..8851986681e8450d3b3b9db93783c7d2d0e02c6a 100644 (file)
--- a/template/en/default/global/messages.html.tmpl
+++ b/template/en/default/global/messages.html.tmpl
@@ -571,7 +571,8 @@
 
   [% ELSIF message_tag == "password_change_request" %]
     [% title = "Request to Change Password" %]
-    A token for changing your password has been emailed to you.
+    A token for changing your password has been emailed to
+    <em>[% login_name FILTER html %]</em>.
     Follow the instructions in that email to change your password.
 
   [% ELSIF message_tag == "password_changed" %]

diff --git a/token.cgi b/token.cgi
index c1630ec91ff500b6f1a002656b2ae066c6d4b2a9..030d264af7866991f171d2e91111efd249558a8c 100755 (executable)
--- a/token.cgi
+++ b/token.cgi
@@ -124,17 +124,18 @@ sub requestChangePassword {
       or ThrowUserError("login_needed_for_password_change");
 
     check_email_syntax($login_name);
-    my $user = Bugzilla::User->check($login_name);
+    my $user = new Bugzilla::User({ name => $login_name });
 
     # Make sure the user account is active.
-    if (!$user->is_enabled) {
+    if ($user && !$user->is_enabled) {
         ThrowUserError('account_disabled',
                        {disabled_reason => get_text('account_disabled', {account => $login_name})});
     }
 
-    Bugzilla::Token::IssuePasswordToken($user);
+    Bugzilla::Token::IssuePasswordToken($user) if $user;
 
     $vars->{'message'} = "password_change_request";
+    $vars->{'login_name'} = $login_name;
 
     print $cgi->header();
     $template->process("global/message.html.tmpl", $vars)