tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

ENHANCEMENT Avoid information disclosure in Security/lostpassword form by returning the same message regardless wether a matching email address was found in the database.

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@86021 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2009-09-10 03:01:46 +00:00
parent ed5475bbae
commit d386db0bc3
3 changed files with 5 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lang/en_US.php
View File

@ -653,7 +653,7 @@ $lang['en_US']['Security']['NOTERESETPASSWORD'] = 'Enter your e-mail address and
$lang['en_US']['Security']['NOTHINGTOENCRYPT1'] = 'No passwords to encrypt';
$lang['en_US']['Security']['NOTHINGTOENCRYPT2'] = 'There are no members with a clear text password that could be encrypted!';
$lang['en_US']['Security']['PASSWORDSENTHEADER'] = 'Password reset link sent to \'%s\'';
$lang['en_US']['Security']['PASSWORDSENTTEXT'] = 'Thank you! The password reset link has been sent to \'%s\'.';
$lang['en_US']['Security']['PASSWORDSENTTEXT'] = 'Thank you! A reset link has been sent to \'%s\', provided an account exists for this email address.';
$lang['en_US']['Security']['PERMFAILURE'] = ' This page is secured and you need administrator rights to access it.
Enter your credentials below and we will send you right along.';
$lang['en_US']['SecurityAdmin']['ADVANCEDONLY'] = 'This section is for advanced users only.

11
security/MemberLoginForm.php
View File

@ -231,14 +231,9 @@ JS
Director::redirect('Security/passwordsent/' . urlencode($data['Email']));
} elseif($data['Email']) {
$this->sessionMessage(
_t('Member.ERRORSIGNUP', 'Sorry, but I don\'t recognise the e-mail address. Maybe you need ' .
'to sign up, or perhaps you used another e-mail address?'
),
'bad'
);
Director::redirectBack();
// Avoid information disclosure by displaying the same status,
// regardless wether the email address actually exists
Director::redirect('Security/passwordsent/' . urlencode($data['Email']));
} else {
$this->sessionMessage(
_t('Member.ENTEREMAIL', 'Please enter an email address to get a password reset link.'),

2
security/Security.php
View File

@ -469,7 +469,7 @@ class Security extends Controller {
'Title' => sprintf(_t('Security.PASSWORDSENTHEADER', "Password reset link sent to '%s'"), $email),
'Content' =>
"<p>" .
sprintf(_t('Security.PASSWORDSENTTEXT', "Thank you! The password reset link has been sent to '%s'."), $email) .
sprintf(_t('Security.PASSWORDSENTTEXT', "Thank you! A reset link has been sent to '%s', provided an account exists for this email address."), $email) .
"</p>",
));