diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-04-27 18:06:11 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-04-27 18:06:11 +0200 |
| commit | ca769c8c13df46b8153a0a4ab3d748e88d6e26f9 (patch) | |
| tree | fa7079326399ac2ba4764fad286e11ad8f9da45f | |
| parent | 71d9876e39abafe81e031b92ecd300c7d13346ea (diff) | |
Fixed #31505 -- Doc'd possible email addresses enumeration in PasswordResetView.
| -rw-r--r-- | docs/topics/auth/default.txt | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt index 05c3a7f693..9cebdf4a3e 100644 --- a/docs/topics/auth/default.txt +++ b/docs/topics/auth/default.txt @@ -1238,6 +1238,16 @@ implementation details see :ref:`using-the-views`. :class:`~django.contrib.auth.forms.PasswordResetForm` and use the ``form_class`` attribute. + .. note:: + + Be aware that sending an email costs extra time, hence you may be + vulnerable to an email address enumeration timing attack due to a + difference between the duration of a reset request for an existing + email address and the duration of a reset request for a nonexistent + email address. To reduce the overhead, you can use a 3rd party package + that allows to send emails asynchronously, e.g. `django-mailer + <https://pypi.org/project/django-mailer/>`_. + Users flagged with an unusable password (see :meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't allowed to request a password reset to prevent misuse when using an |
