From: Frédéric Buclin Date: Thu, 6 Jun 2013 20:46:30 +0000 (+0200) Subject: Bug 878035: Do not disclose whether a user account exists or not when a user clicks... X-Git-Tag: bugzilla-4.5.1~149 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a905395d7fd7dce12a8f51b68aaeede0959480b6;p=thirdparty%2Fbugzilla.git Bug 878035: Do not disclose whether a user account exists or not when a user clicks "forgot password" r=dkl a=LpSolit --- diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm index 183c11f96e..d4224e33b1 100644 --- a/Bugzilla/Token.pm +++ b/Bugzilla/Token.pm @@ -122,13 +122,15 @@ sub IssuePasswordToken { ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon; - my ($token, $token_ts) = _create_token($user->id, 'password', remote_ip()); + my $ip_addr = remote_ip(); + my ($token, $token_ts) = _create_token($user->id, 'password', $ip_addr); # Mail the user the token along with instructions for using it. my $template = Bugzilla->template_inner($user->setting('lang')); my $vars = {}; $vars->{'token'} = $token; + $vars->{'ip_addr'} = $ip_addr; $vars->{'emailaddress'} = $user->email; $vars->{'expiration_ts'} = ctime($token_ts + MAX_TOKEN_AGE * 86400); # The user is not logged in (else he wouldn't request a new password). diff --git a/template/en/default/account/password/forgotten-password.txt.tmpl b/template/en/default/account/password/forgotten-password.txt.tmpl index 0c135a9ed9..de2e79596c 100644 --- a/template/en/default/account/password/forgotten-password.txt.tmpl +++ b/template/en/default/account/password/forgotten-password.txt.tmpl @@ -12,7 +12,9 @@ Subject: [% terms.Bugzilla %] Change Password Request X-Bugzilla-Type: admin You have (or someone impersonating you has) requested to change your -[%+ terms.Bugzilla %] password. To complete the change, visit the following link: +[%+ terms.Bugzilla %] password. The request originated from [% ip_addr %]. + +To complete the change, visit the following link: [%+ urlbase %]token.cgi?t=[% token FILTER uri %]&a=cfmpw @@ -24,3 +26,7 @@ this request, visit the following link: If you do nothing, the request will lapse after [% constants.MAX_TOKEN_AGE %] days (on [% expiration_ts FILTER time("%B %e, %Y at %H:%M %Z", timezone) %]) or when you log in successfully. + +If you think someone tried to compromise your account, please inform +[%+ Param('maintainer') %] with the IP address reported above +and the exact time when you got this email. diff --git a/template/en/default/global/messages.html.tmpl b/template/en/default/global/messages.html.tmpl index 95b74f1dfe..8851986681 100644 --- a/template/en/default/global/messages.html.tmpl +++ b/template/en/default/global/messages.html.tmpl @@ -571,7 +571,8 @@ [% ELSIF message_tag == "password_change_request" %] [% title = "Request to Change Password" %] - A token for changing your password has been emailed to you. + A token for changing your password has been emailed to + [% login_name FILTER html %]. Follow the instructions in that email to change your password. [% ELSIF message_tag == "password_changed" %] diff --git a/token.cgi b/token.cgi index c1630ec91f..030d264af7 100755 --- a/token.cgi +++ b/token.cgi @@ -124,17 +124,18 @@ sub requestChangePassword { or ThrowUserError("login_needed_for_password_change"); check_email_syntax($login_name); - my $user = Bugzilla::User->check($login_name); + my $user = new Bugzilla::User({ name => $login_name }); # Make sure the user account is active. - if (!$user->is_enabled) { + if ($user && !$user->is_enabled) { ThrowUserError('account_disabled', {disabled_reason => get_text('account_disabled', {account => $login_name})}); } - Bugzilla::Token::IssuePasswordToken($user); + Bugzilla::Token::IssuePasswordToken($user) if $user; $vars->{'message'} = "password_change_request"; + $vars->{'login_name'} = $login_name; print $cgi->header(); $template->process("global/message.html.tmpl", $vars)