diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2013-06-06 22:46:30 +0200 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-06-06 22:46:30 +0200 |
| commit | a905395d7fd7dce12a8f51b68aaeede0959480b6 (patch) | |
| tree | 689eaf2d1f1b10c62c70d815fd1baf51496818d0 /Bugzilla | |
| parent | bb45718c677f941ef0ec214cf87ce6bb85f0fa4e (diff) | |
| download | bugzilla-a905395d7fd7dce12a8f51b68aaeede0959480b6.tar.gz bugzilla-a905395d7fd7dce12a8f51b68aaeede0959480b6.tar.xz | |
Bug 878035: Do not disclose whether a user account exists or not when a user clicks "forgot password"
r=dkl a=LpSolit
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/Token.pm | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm index 183c11f96..d4224e33b 100644 --- a/Bugzilla/Token.pm +++ b/Bugzilla/Token.pm @@ -122,13 +122,15 @@ sub IssuePasswordToken { ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon; - my ($token, $token_ts) = _create_token($user->id, 'password', remote_ip()); + my $ip_addr = remote_ip(); + my ($token, $token_ts) = _create_token($user->id, 'password', $ip_addr); # Mail the user the token along with instructions for using it. my $template = Bugzilla->template_inner($user->setting('lang')); my $vars = {}; $vars->{'token'} = $token; + $vars->{'ip_addr'} = $ip_addr; $vars->{'emailaddress'} = $user->email; $vars->{'expiration_ts'} = ctime($token_ts + MAX_TOKEN_AGE * 86400); # The user is not logged in (else he wouldn't request a new password). |