summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMariusz Felisiak <felisiak.mariusz@gmail.com>2020-04-27 18:06:11 +0200
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2020-04-27 18:07:34 +0200
commit04bc3577eddef6bef52d440f4f53877bcae264c5 (patch)
tree5b96ee5aed855bf51ec61eaac1dbad2450b91089 /docs
parent657992cf192b38d7000d9000623c002b3451c401 (diff)
[3.0.x] Fixed #31505 -- Doc'd possible email addresses enumeration in PasswordResetView.
Backport of ca769c8c13df46b8153a0a4ab3d748e88d6e26f9 from master
Diffstat (limited to 'docs')
-rw-r--r--docs/topics/auth/default.txt10
1 files changed, 10 insertions, 0 deletions
diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index e89380aac4..a4969adf7f 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -1248,6 +1248,16 @@ implementation details see :ref:`using-the-views`.
:class:`~django.contrib.auth.forms.PasswordResetForm` and use the
``form_class`` attribute.
+ .. note::
+
+ Be aware that sending an email costs extra time, hence you may be
+ vulnerable to an email address enumeration timing attack due to a
+ difference between the duration of a reset request for an existing
+ email address and the duration of a reset request for a nonexistent
+ email address. To reduce the overhead, you can use a 3rd party package
+ that allows to send emails asynchronously, e.g. `django-mailer
+ <https://pypi.org/project/django-mailer/>`_.
+
Users flagged with an unusable password (see
:meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't
allowed to request a password reset to prevent misuse when using an