This repository has been archived by the owner on Aug 23, 2020. It is now read-only.
Leaking of password reset token through the reset url #80
Labels
Comments
|
Thanks for alert us that security issue. We will check the codes and the problems and may ask you to some help 👍 fly. @giginet |
This was referenced Jun 8, 2017
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I think it is possible to leak the password reset token since it is left in the url. In Django 1.11 the token is stripped during a redirect (docs, code) to prevent the token from being taken in the referrer header from 3rd party apps on the page. I haven't dug too deeply into the source for this project but at a first glance it seems that the vulnerability exists. If this is the case would be happy to help fix similar to django-registration-redux, or at the very least alert you to the issue. Let me know if you guys need any help!
The text was updated successfully, but these errors were encountered: