From a905395d7fd7dce12a8f51b68aaeede0959480b6 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Thu, 6 Jun 2013 22:46:30 +0200 Subject: Bug 878035: Do not disclose whether a user account exists or not when a user clicks "forgot password" r=dkl a=LpSolit --- token.cgi | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'token.cgi') diff --git a/token.cgi b/token.cgi index c1630ec91..030d264af 100755 --- a/token.cgi +++ b/token.cgi @@ -124,17 +124,18 @@ sub requestChangePassword { or ThrowUserError("login_needed_for_password_change"); check_email_syntax($login_name); - my $user = Bugzilla::User->check($login_name); + my $user = new Bugzilla::User({ name => $login_name }); # Make sure the user account is active. - if (!$user->is_enabled) { + if ($user && !$user->is_enabled) { ThrowUserError('account_disabled', {disabled_reason => get_text('account_disabled', {account => $login_name})}); } - Bugzilla::Token::IssuePasswordToken($user); + Bugzilla::Token::IssuePasswordToken($user) if $user; $vars->{'message'} = "password_change_request"; + $vars->{'login_name'} = $login_name; print $cgi->header(); $template->process("global/message.html.tmpl", $vars) -- cgit v1.2.3-24-g4f1b