From a905395d7fd7dce12a8f51b68aaeede0959480b6 Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Thu, 6 Jun 2013 22:46:30 +0200
Subject: Bug 878035: Do not disclose whether a user account exists or not when
 a user clicks "forgot password" r=dkl a=LpSolit

---
 Bugzilla/Token.pm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'Bugzilla/Token.pm')

diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 183c11f96..d4224e33b 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -122,13 +122,15 @@ sub IssuePasswordToken {
 
     ThrowUserError('too_soon_for_new_token', {'type' => 'password'}) if $too_soon;
 
-    my ($token, $token_ts) = _create_token($user->id, 'password', remote_ip());
+    my $ip_addr = remote_ip();
+    my ($token, $token_ts) = _create_token($user->id, 'password', $ip_addr);
 
     # Mail the user the token along with instructions for using it.
     my $template = Bugzilla->template_inner($user->setting('lang'));
     my $vars = {};
 
     $vars->{'token'} = $token;
+    $vars->{'ip_addr'} = $ip_addr;
     $vars->{'emailaddress'} = $user->email;
     $vars->{'expiration_ts'} = ctime($token_ts + MAX_TOKEN_AGE * 86400);
     # The user is not logged in (else he wouldn't request a new password).
-- 
cgit v1.2.3-24-g4f1b