From d386db0bc397476a573aad88be0d93fb0d5b12d1 Mon Sep 17 00:00:00 2001 From: Ingo Schommer Date: Thu, 10 Sep 2009 03:01:46 +0000 Subject: [PATCH] ENHANCEMENT Avoid information disclosure in Security/lostpassword form by returning the same message regardless wether a matching email address was found in the database. git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@86021 467b73ca-7a2a-4603-9d3b-597d59a354a9 --- lang/en_US.php | 2 +- security/MemberLoginForm.php | 11 +++-------- security/Security.php | 2 +- 3 files changed, 5 insertions(+), 10 deletions(-) diff --git a/lang/en_US.php b/lang/en_US.php index 77fb8ec3a..4c105f00f 100644 --- a/lang/en_US.php +++ b/lang/en_US.php @@ -653,7 +653,7 @@ $lang['en_US']['Security']['NOTERESETPASSWORD'] = 'Enter your e-mail address and $lang['en_US']['Security']['NOTHINGTOENCRYPT1'] = 'No passwords to encrypt'; $lang['en_US']['Security']['NOTHINGTOENCRYPT2'] = 'There are no members with a clear text password that could be encrypted!'; $lang['en_US']['Security']['PASSWORDSENTHEADER'] = 'Password reset link sent to \'%s\''; -$lang['en_US']['Security']['PASSWORDSENTTEXT'] = 'Thank you! The password reset link has been sent to \'%s\'.'; +$lang['en_US']['Security']['PASSWORDSENTTEXT'] = 'Thank you! A reset link has been sent to \'%s\', provided an account exists for this email address.'; $lang['en_US']['Security']['PERMFAILURE'] = ' This page is secured and you need administrator rights to access it. Enter your credentials below and we will send you right along.'; $lang['en_US']['SecurityAdmin']['ADVANCEDONLY'] = 'This section is for advanced users only. diff --git a/security/MemberLoginForm.php b/security/MemberLoginForm.php index 3a56e51fc..a33effadb 100644 --- a/security/MemberLoginForm.php +++ b/security/MemberLoginForm.php @@ -231,14 +231,9 @@ JS Director::redirect('Security/passwordsent/' . urlencode($data['Email'])); } elseif($data['Email']) { - $this->sessionMessage( - _t('Member.ERRORSIGNUP', 'Sorry, but I don\'t recognise the e-mail address. Maybe you need ' . - 'to sign up, or perhaps you used another e-mail address?' - ), - 'bad' - ); - - Director::redirectBack(); + // Avoid information disclosure by displaying the same status, + // regardless wether the email address actually exists + Director::redirect('Security/passwordsent/' . urlencode($data['Email'])); } else { $this->sessionMessage( _t('Member.ENTEREMAIL', 'Please enter an email address to get a password reset link.'), diff --git a/security/Security.php b/security/Security.php index 0d5015f1a..9e3f4cf27 100644 --- a/security/Security.php +++ b/security/Security.php @@ -469,7 +469,7 @@ class Security extends Controller { 'Title' => sprintf(_t('Security.PASSWORDSENTHEADER', "Password reset link sent to '%s'"), $email), 'Content' => "

" . - sprintf(_t('Security.PASSWORDSENTTEXT', "Thank you! The password reset link has been sent to '%s'."), $email) . + sprintf(_t('Security.PASSWORDSENTTEXT', "Thank you! A reset link has been sent to '%s', provided an account exists for this email address."), $email) . "

", ));