tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

ENHANCEMENT Avoid information disclosure in Security/lostpassword form by returning the same message regardless wether a matching email address was found in the database.

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@86021 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2009-09-10 03:01:46 +00:00
parent ed5475bbae
commit d386db0bc3
3 changed files with 5 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lang/en_US.php
View File

@ -653,7 +653,7 @@ $lang['en_US']['Security']['NOTERESETPASSWORD'] = 'Enter your e-mail address and
$lang['en_US']['Security']['NOTHINGTOENCRYPT1'] = 'No passwords to encrypt'; $lang['en_US']['Security']['NOTHINGTOENCRYPT1'] = 'No passwords to encrypt';
$lang['en_US']['Security']['NOTHINGTOENCRYPT2'] = 'There are no members with a clear text password that could be encrypted!'; $lang['en_US']['Security']['NOTHINGTOENCRYPT2'] = 'There are no members with a clear text password that could be encrypted!';
$lang['en_US']['Security']['PASSWORDSENTHEADER'] = 'Password reset link sent to \'%s\''; $lang['en_US']['Security']['PASSWORDSENTHEADER'] = 'Password reset link sent to \'%s\'';
$lang['en_US']['Security']['PASSWORDSENTTEXT'] = 'Thank you! The password reset link has been sent to \'%s\'.'; $lang['en_US']['Security']['PASSWORDSENTTEXT'] = 'Thank you! A reset link has been sent to \'%s\', provided an account exists for this email address.';
$lang['en_US']['Security']['PERMFAILURE'] = ' This page is secured and you need administrator rights to access it. $lang['en_US']['Security']['PERMFAILURE'] = ' This page is secured and you need administrator rights to access it.
Enter your credentials below and we will send you right along.'; Enter your credentials below and we will send you right along.';
$lang['en_US']['SecurityAdmin']['ADVANCEDONLY'] = 'This section is for advanced users only. $lang['en_US']['SecurityAdmin']['ADVANCEDONLY'] = 'This section is for advanced users only.

11
security/MemberLoginForm.php
View File

@ -231,14 +231,9 @@ JS
Director::redirect('Security/passwordsent/' . urlencode($data['Email'])); Director::redirect('Security/passwordsent/' . urlencode($data['Email']));
} elseif($data['Email']) { } elseif($data['Email']) {
$this->sessionMessage( // Avoid information disclosure by displaying the same status,
_t('Member.ERRORSIGNUP', 'Sorry, but I don\'t recognise the e-mail address. Maybe you need ' . // regardless wether the email address actually exists
'to sign up, or perhaps you used another e-mail address?' Director::redirect('Security/passwordsent/' . urlencode($data['Email']));
),
'bad'
);
Director::redirectBack();
} else { } else {
$this->sessionMessage( $this->sessionMessage(
_t('Member.ENTEREMAIL', 'Please enter an email address to get a password reset link.'), _t('Member.ENTEREMAIL', 'Please enter an email address to get a password reset link.'),

2
security/Security.php
View File

@ -469,7 +469,7 @@ class Security extends Controller {
'Title' => sprintf(_t('Security.PASSWORDSENTHEADER', "Password reset link sent to '%s'"), $email), 'Title' => sprintf(_t('Security.PASSWORDSENTHEADER', "Password reset link sent to '%s'"), $email),
'Content' => 'Content' =>
"<p>" . "<p>" .
sprintf(_t('Security.PASSWORDSENTTEXT', "Thank you! The password reset link has been sent to '%s'."), $email) . sprintf(_t('Security.PASSWORDSENTTEXT', "Thank you! A reset link has been sent to '%s', provided an account exists for this email address."), $email) .
"</p>", "</p>",
)); ));