summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuke Plant <L.Plant.98@cantab.net>2010-11-04 12:39:27 +0000
committerLuke Plant <L.Plant.98@cantab.net>2010-11-04 12:39:27 +0000
commitfca56e845065da91e13b6511cc8cf7b70ad1272e (patch)
treeb1ba42eccca61d442ce7e15b89bd44d6aa820078
parent74b566e81ccb0e12372bcd5828e9724f4aee8f1b (diff)
[1.2.X] Fixed #14612 - Password reset page leaks valid user ids publicly.
Thanks to PaulM for the report. Backport of [14456] from trunk. git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@14458 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r--django/contrib/auth/tests/views.py6
-rw-r--r--django/contrib/auth/views.py8
2 files changed, 10 insertions, 4 deletions
diff --git a/django/contrib/auth/tests/views.py b/django/contrib/auth/tests/views.py
index 808de1052e..22fdbd6eaf 100644
--- a/django/contrib/auth/tests/views.py
+++ b/django/contrib/auth/tests/views.py
@@ -82,6 +82,12 @@ class PasswordResetTest(AuthViewsTestCase):
self.assertEquals(response.status_code, 200)
self.assert_("The password reset link was invalid" in response.content)
+ def test_confirm_invalid_user(self):
+ # Ensure that we get a 200 response for a non-existant user, not a 404
+ response = self.client.get('/reset/123456-1-1/')
+ self.assertEquals(response.status_code, 200)
+ self.assert_("The password reset link was invalid" in response.content)
+
def test_confirm_invalid_post(self):
# Same as test_confirm_invalid, but trying
# to do a POST instead.
diff --git a/django/contrib/auth/views.py b/django/contrib/auth/views.py
index 197799eb9e..6f75873fe0 100644
--- a/django/contrib/auth/views.py
+++ b/django/contrib/auth/views.py
@@ -142,13 +142,13 @@ def password_reset_confirm(request, uidb36=None, token=None, template_name='regi
post_reset_redirect = reverse('django.contrib.auth.views.password_reset_complete')
try:
uid_int = base36_to_int(uidb36)
- except ValueError:
- raise Http404
+ user = User.objects.get(id=uid_int)
+ except (ValueError, User.DoesNotExist):
+ user = None
- user = get_object_or_404(User, id=uid_int)
context_instance = RequestContext(request)
- if token_generator.check_token(user, token):
+ if user is not None and token_generator.check_token(user, token):
context_instance['validlink'] = True
if request.method == 'POST':
form = set_password_form(user, request.POST)