[Django] #26615: Changing user's email could invalidate password reset tokens
Django
------------------------------------------------+------------------------
Reporter: Alex | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Severity: Normal | Keywords:
Triage Stage: Accepted | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
------------------------------------------------+------------------------
Sequence:
* Have account with email address f...@bar.com
* Password reset request for that email (unused)
* f...@bar.com account changes their email address
* Password reset email is used
The password reset email's token should be rejected at that point, but in
fact it is allowed.
The fix is to add the user's email address into
[https://github.com/django/django/blob/104727030c52a6cd5e85fdcc64dd6cfc906fc241/django/contrib/auth/tokens.py#L66-L72
PasswordResetTokenGenerator._make_hash_value()]
Nothing forces a user to even have an email as per `AbstractBaseUser`.
Perhaps the token generation method could be factored out onto the model,
ala `get_session_auth_hash()`.
--
Ticket URL: <https://code.djangoproject.com/ticket/26615>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: Alex | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by SilasX):
* has_patch: 0 => 1
Comment:
[https://github.com/django/django/pull/6608 PR]
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:1>
Django
Reporter: Alex | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:2>
Django
Reporter: Alex | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by SilasX):
* needs_better_patch: 1 => 0
Comment:
[https://github.com/django/django/pull/6620 PR resubmit]
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:3>
Django
Reporter: Alex | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by SilasX):
[https://github.com/django/django/pull/6621 PR resubmit 2]
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:4>
Django
Reporter: Alex | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by berkerpeksag):
* needs_better_patch: 0 => 1
* needs_docs: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:5>
Django
Reporter: Alex | Owner: rosco77
Type: Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by rosco77):
* owner: nobody => rosco77
* status: new => assigned
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:6>
Django
Reporter: Alex | Owner: rosco77
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Comment (by rosco77):
New pull request made at https://github.com/django/django/pull/6868
containing requested documentation
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:7>
Django
Reporter: Alex | Owner: rosco77
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: 1 => 0
* needs_docs: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:8>
Django
Reporter: Alex | Owner: rosco77
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* needs_better_patch: 0 => 1
Comment:
Comments for improvement are on the PR.
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:9>
Django
Reporter: Alex Gaynor | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: contrib.auth | Version: master
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by felixxm):
* owner: Ross Curzon-Butler => (none)
* status: assigned => new
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:10>
Django
Reporter: Alex Gaynor | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Component: contrib.auth | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Jacob Walls):
* owner: (none) => Jacob Walls
* status: new => assigned
Comment:
New PR forthcoming, new patch plus original test written by Silas.
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:11>
Django
Reporter: Alex Gaynor | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 1 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* needs_better_patch: 0 => 1
* needs_tests: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:13>
Django
Reporter: Alex Gaynor | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Jacob Walls):
* needs_better_patch: 1 => 0
* needs_tests: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:14>
Django
Reporter: Alex Gaynor | Owner: Jacob
Type: | Walls
Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:15>
Django
Reporter: Alex Gaynor | Owner: Jacob
Type: | Walls
Component: contrib.auth | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"0362b0e986303858081f607ffad2e8e14be8775e" 0362b0e9]:
{{{
#!CommitTicketReference repository=""
revision="0362b0e986303858081f607ffad2e8e14be8775e"
Fixed #26615 -- Made password reset token invalidate when changing email.
Co-Authored-By: Silas Barta <sba...@gmail.com>
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/26615#comment:16>