diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-04-27 18:06:11 +0200 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2020-04-27 18:07:34 +0200 |
| commit | 04bc3577eddef6bef52d440f4f53877bcae264c5 (patch) | |
| tree | 5b96ee5aed855bf51ec61eaac1dbad2450b91089 /docs | |
| parent | 657992cf192b38d7000d9000623c002b3451c401 (diff) | |
[3.0.x] Fixed #31505 -- Doc'd possible email addresses enumeration in PasswordResetView.
Backport of ca769c8c13df46b8153a0a4ab3d748e88d6e26f9 from master
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/topics/auth/default.txt | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt index e89380aac4..a4969adf7f 100644 --- a/docs/topics/auth/default.txt +++ b/docs/topics/auth/default.txt @@ -1248,6 +1248,16 @@ implementation details see :ref:`using-the-views`. :class:`~django.contrib.auth.forms.PasswordResetForm` and use the ``form_class`` attribute. + .. note:: + + Be aware that sending an email costs extra time, hence you may be + vulnerable to an email address enumeration timing attack due to a + difference between the duration of a reset request for an existing + email address and the duration of a reset request for a nonexistent + email address. To reduce the overhead, you can use a 3rd party package + that allows to send emails asynchronously, e.g. `django-mailer + <https://pypi.org/project/django-mailer/>`_. + Users flagged with an unusable password (see :meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't allowed to request a password reset to prevent misuse when using an |
