py4web-1.20260216.1: reset_password causes 500
35 views
Skip to first unread message
pe...@anewalt.com
Mar 7, 2026, 9:36:59 AMMar 7
to py4web
Here is a stack trace:
Traceback (most recent call last):
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/core.py", line 1061, in wrapper
ret = func(*func_args, **func_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/core.py", line 1046, in wrapper
raise exception
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/core.py", line 1022, in wrapper
context["output"] = func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/utils/auth.py", line 1169, in _
form=form_factory(), path=path, user=auth.get_user(), **env
^^^^^^^^^^^^^^
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/utils/auth.py", line 2008, in reset_password
)
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/utils/auth.py", line 2065, in _process_change_password_form
new_password = request.forms.get("new_password")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/utils/auth.py", line 837, in change_password
if new_pwd == user.password:
^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'password'
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/core.py", line 1061, in wrapper
ret = func(*func_args, **func_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/core.py", line 1046, in wrapper
raise exception
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/core.py", line 1022, in wrapper
context["output"] = func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/utils/auth.py", line 1169, in _
form=form_factory(), path=path, user=auth.get_user(), **env
^^^^^^^^^^^^^^
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/utils/auth.py", line 2008, in reset_password
)
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/utils/auth.py", line 2065, in _process_change_password_form
new_password = request.forms.get("new_password")
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/pete/venv-hmp/lib/python3.12/site-packages/py4web/utils/auth.py", line 837, in change_password
if new_pwd == user.password:
^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'password'
Changing line 1996 in auth.py from:
user = None
to:
user = self.auth.db.auth_user(self.auth.user_id)
fixes the problem.
Massimo DiPierro
Mar 8, 2026, 3:01:46 AMMar 8
to py4web
It should not fail that way and I fixed in master but I think you may be using it wrong.
If you are logged in, know your password and want to change it you call
If you forgot the password and want to change it, you call
which sends you and email to verify your identity, and after clicking the link the email, redirects you to Your proposed fix would allow somebody logged in to change the password without checking the existing password.
This could be considered a vulnerability.
If instead that is exactly what you are trying to achieve, we could add that functionality but would have to be opt in.
Massimo
pe...@anewalt.com
Mar 15, 2026, 8:59:32 AM (9 days ago) Mar 15
to py4web
I had a user who insisted she was not getting the password-reset emails, so I had to reset her password for her. Navigating to auth/reset_password while impersonating her was an expedient way to resolve. I tried to construct a link using what I thought was the token, taken from auth_user.action_token for that user, but it didn't seem to work so I did it this way instead. Agreed it's a potential vulnerability, and if there's a safer way to accomplish this I would do it instead.
BTW, when you say "using it wrong", I can't work out how anyone would use this without introducing the vulnerability you mention. What was the intended use of this functionality?
Reply all
Reply to author
Forward
0 new messages