summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2013-06-06 22:46:30 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2013-06-06 22:46:30 +0200
commita905395d7fd7dce12a8f51b68aaeede0959480b6 (patch)
tree689eaf2d1f1b10c62c70d815fd1baf51496818d0 /Bugzilla
parentbb45718c677f941ef0ec214cf87ce6bb85f0fa4e (diff)
downloadbugzilla-a905395d7fd7dce12a8f51b68aaeede0959480b6.tar.gz
bugzilla-a905395d7fd7dce12a8f51b68aaeede0959480b6.tar.xz
Bug 878035: Do not disclose whether a user account exists or not when a user clicks "forgot password"
r=dkl a=LpSolit
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Token.pm4
1 files changed, 3 insertions, 1 deletions
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 183c11f96..d4224e33b 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -122,13 +122,15 @@ sub IssuePasswordToken {
ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon;
- my ($token, $token_ts) = _create_token($user->id, 'password', remote_ip());
+ my $ip_addr = remote_ip();
+ my ($token, $token_ts) = _create_token($user->id, 'password', $ip_addr);
# Mail the user the token along with instructions for using it.
my $template = Bugzilla->template_inner($user->setting('lang'));
my $vars = {};
$vars->{'token'} = $token;
+ $vars->{'ip_addr'} = $ip_addr;
$vars->{'emailaddress'} = $user->email;
$vars->{'expiration_ts'} = ctime($token_ts + MAX_TOKEN_AGE * 86400);
# The user is not logged in (else he wouldn't request a new password).