Bug 878035: Do not disclose whether a user account exists or not when a user clicks "forgot password"

r=dkl a=LpSolit

2 files changed, 9 insertions, 2 deletions

diff --git a/template/en/default/account/password/forgotten-password.txt.tmpl b/template/en/default/account/password/forgotten-password.txt.tmpl
index 0c135a9ed..de2e79596 100644
--- a/template/en/default/account/password/forgotten-password.txt.tmpl
+++ b/template/en/default/account/password/forgotten-password.txt.tmpl
@@ -12,7 +12,9 @@ Subject:  [% terms.Bugzilla %] Change Password Request
 X-Bugzilla-Type: admin
 
 You have (or someone impersonating you has) requested to change your 
-[%+ terms.Bugzilla %] password. To complete the change, visit the following link:
+[%+ terms.Bugzilla %] password. The request originated from [% ip_addr %].
+
+To complete the change, visit the following link:
 
 [%+ urlbase %]token.cgi?t=[% token FILTER uri %]&a=cfmpw
 
@@ -24,3 +26,7 @@ this request, visit the following link:
 If you do nothing, the request will lapse after [% constants.MAX_TOKEN_AGE %] days
 (on [% expiration_ts FILTER time("%B %e, %Y at %H:%M %Z", timezone) %]) or when you
 log in successfully.
+
+If you think someone tried to compromise your account, please inform
+[%+ Param('maintainer') %] with the IP address reported above
+and the exact time when you got this email.
diff --git a/template/en/default/global/messages.html.tmpl b/template/en/default/global/messages.html.tmpl
index 95b74f1df..885198668 100644
--- a/template/en/default/global/messages.html.tmpl
+++ b/template/en/default/global/messages.html.tmpl
@@ -571,7 +571,8 @@
 
   [% ELSIF message_tag == "password_change_request" %]
     [% title = "Request to Change Password" %]
-    A token for changing your password has been emailed to you.
+    A token for changing your password has been emailed to
+    <em>[% login_name FILTER html %]</em>.
     Follow the instructions in that email to change your password.
 
   [% ELSIF message_tag == "password_changed" %]