summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMariusz Felisiak <felisiak.mariusz@gmail.com>2020-04-27 18:06:11 +0200
committerGitHub <noreply@github.com>2020-04-27 18:06:11 +0200
commitca769c8c13df46b8153a0a4ab3d748e88d6e26f9 (patch)
treefa7079326399ac2ba4764fad286e11ad8f9da45f
parent71d9876e39abafe81e031b92ecd300c7d13346ea (diff)
Fixed #31505 -- Doc'd possible email addresses enumeration in PasswordResetView.
-rw-r--r--docs/topics/auth/default.txt10
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 05c3a7f693..9cebdf4a3e 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -1238,6 +1238,16 @@ implementation details see :ref:`using-the-views`.
:class:`~django.contrib.auth.forms.PasswordResetForm` and use the
``form_class`` attribute.
+ .. note::
+
+ Be aware that sending an email costs extra time, hence you may be
+ vulnerable to an email address enumeration timing attack due to a
+ difference between the duration of a reset request for an existing
+ email address and the duration of a reset request for a nonexistent
+ email address. To reduce the overhead, you can use a 3rd party package
+ that allows to send emails asynchronously, e.g. `django-mailer
+ <https://pypi.org/project/django-mailer/>`_.
+
Users flagged with an unusable password (see
:meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't
allowed to request a password reset to prevent misuse when using an