diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2013-06-06 22:46:30 +0200 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-06-06 22:46:30 +0200 |
| commit | a905395d7fd7dce12a8f51b68aaeede0959480b6 (patch) | |
| tree | 689eaf2d1f1b10c62c70d815fd1baf51496818d0 /token.cgi | |
| parent | bb45718c677f941ef0ec214cf87ce6bb85f0fa4e (diff) | |
| download | bugzilla-a905395d7fd7dce12a8f51b68aaeede0959480b6.tar.gz bugzilla-a905395d7fd7dce12a8f51b68aaeede0959480b6.tar.xz | |
Bug 878035: Do not disclose whether a user account exists or not when a user clicks "forgot password"
r=dkl a=LpSolit
Diffstat (limited to 'token.cgi')
| -rwxr-xr-x | token.cgi | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -124,17 +124,18 @@ sub requestChangePassword { or ThrowUserError("login_needed_for_password_change"); check_email_syntax($login_name); - my $user = Bugzilla::User->check($login_name); + my $user = new Bugzilla::User({ name => $login_name }); # Make sure the user account is active. - if (!$user->is_enabled) { + if ($user && !$user->is_enabled) { ThrowUserError('account_disabled', {disabled_reason => get_text('account_disabled', {account => $login_name})}); } - Bugzilla::Token::IssuePasswordToken($user); + Bugzilla::Token::IssuePasswordToken($user) if $user; $vars->{'message'} = "password_change_request"; + $vars->{'login_name'} = $login_name; print $cgi->header(); $template->process("global/message.html.tmpl", $vars) |