summaryrefslogtreecommitdiff
path: root/docs/ref
diff options
context:
space:
mode:
authorNatalia <124304+nessita@users.noreply.github.com>2024-08-19 14:47:38 -0300
committerNatalia <124304+nessita@users.noreply.github.com>2024-09-03 09:42:25 -0300
commitbf4888d317ba4506d091eeac6e8b4f1fcc731199 (patch)
tree0b8baf1660f99e2363b9f3a762b73f3703b947e7 /docs/ref
parentd147a8ebbdf28c17cafbbe2884f0bc57e2bf82e2 (diff)
[4.2.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when email sending fails.
On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password reset requests succeed and which ones generate a 500 error response. Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam Johnson, and Sarah Boyce for the reviews.
Diffstat (limited to 'docs/ref')
-rw-r--r--docs/ref/logging.txt12
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/ref/logging.txt b/docs/ref/logging.txt
index b11fb752f7..3d33e0af63 100644
--- a/docs/ref/logging.txt
+++ b/docs/ref/logging.txt
@@ -204,6 +204,18 @@ all database queries.
Support for logging transaction management queries (``BEGIN``, ``COMMIT``,
and ``ROLLBACK``) was added.
+.. _django-contrib-auth-logger:
+
+``django.contrib.auth``
+~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 4.2.16
+
+Log messages related to :doc:`contrib/auth`, particularly ``ERROR`` messages
+are generated when a :class:`~django.contrib.auth.forms.PasswordResetForm` is
+successfully submitted but the password reset email cannot be delivered due to
+a mail sending exception.
+
.. _django-security-logger:
``django.security.*``