aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLefsFlare2016-10-17 10:08:40 +0800
committer无闻2016-10-16 22:08:40 -0400
commit2cb5ec598388f5281e01e17e650421103b562b30 (patch)
tree4bc46dacd7afe5dc3ce4741ac767bbb320ace90f
parent2bec8a4f1ef6b48220a0010c1482e561abd55810 (diff)
Prevented user enumeration of valid users through HTTP status codes of login (#3639) (#3654)
-rw-r--r--routers/user/auth.go6
1 files changed, 4 insertions, 2 deletions
diff --git a/routers/user/auth.go b/routers/user/auth.go
index 031ac026b..7117f1ec7 100644
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -341,8 +341,10 @@ func ForgotPasswdPost(ctx *context.Context) {
u, err := models.GetUserByEmail(email)
if err != nil {
if models.IsErrUserNotExist(err) {
- ctx.Data["Err_Email"] = true
- ctx.RenderWithErr(ctx.Tr("auth.email_not_associate"), FORGOT_PASSWORD, nil)
+ ctx.Data["Hours"] = setting.Service.ActiveCodeLives / 60
+ ctx.Data["IsResetSent"] = true
+ ctx.HTML(200, FORGOT_PASSWORD)
+ return
} else {
ctx.Handle(500, "user.ResetPasswd(check existence)", err)
}