Stop enumeration of email addresses via forgot pw

https://www.pivotaltracker.com/story/show/113840073 Previously the forgot password page would give an error if you entered an email address which didn’t belong to an account. This would allow a potential attacker to know which email addresses were registered. This commit changes the response to always be the same, whether or not the email address exists. Also, this is a good read about the dangers of asserting whether a mocked method was called: http://engineeringblog.yelp.com/2015/02/assert_called_once-threat-or-menace.html
2026-02-05 02:42:26 -05:00 · 2016-02-17 10:24:32 +00:00
parent 6a39c8e187
commit e0e445c520
3 changed files with 42 additions and 7 deletions
--- a/app/main/views/forgot_password.py
+++ b/app/main/views/forgot_password.py
@@ -15,6 +15,7 @@ def forgot_password():
            users_dao.request_password_reset(user)
            send_change_password_email(form.email_address.data)
            return render_template('views/password-reset-sent.html')
-        flash('There was an error processing your request')
+        else:
+            return render_template('views/password-reset-sent.html')

    return render_template('views/forgot-password.html', form=form)