django-inspectional-registration icon indicating copy to clipboard operation
django-inspectional-registration copied to clipboard

Published 20 hours ago verified publisher icon lambdalisue

Leaking of password reset token through the reset url

Open joshblum opened this issue 7 years ago • 1 comments

I think it is possible to leak the password reset token since it is left in the url. In Django 1.11 the token is stripped during a redirect (docs, code) to prevent the token from being taken in the referrer header from 3rd party apps on the page. I haven't dug too deeply into the source for this project but at a first glance it seems that the vulnerability exists. If this is the case would be happy to help fix similar to django-registration-redux, or at the very least alert you to the issue. Let me know if you guys need any help!

joshblum avatar Jun 07 '17 22:06 joshblum

Thanks for alert us that security issue. We will check the codes and the problems and may ask you to some help 👍

fly. @giginet

lambdalisue avatar Jun 08 '17 16:06 lambdalisue