FS#48366 - Password reset for non-existing AUR accounts
Attached to Project:
AUR web interface
Opened by Christian Jurk (commx) - Sunday, 28 February 2016, 12:41 GMT
Last edited by Lukas Fleischer (lfleischer) - Thursday, 23 April 2020, 00:18 GMT
Opened by Christian Jurk (commx) - Sunday, 28 February 2016, 12:41 GMT
Last edited by Lukas Fleischer (lfleischer) - Thursday, 23 April 2020, 00:18 GMT
|
Details
Description:
When requesting a password for an arbitrary email address, the "Forgot Password" function will show "Check your e-mail for the confirmation link.", regardless whether the used email address exists or not. This will confuse users, in case they used a different email address for their account and they don't receive any email anyway. |
This task depends upon
Closed by Lukas Fleischer (lfleischer)
Thursday, 23 April 2020, 00:18 GMT
Reason for closing: Not a bug
Thursday, 23 April 2020, 00:18 GMT
Reason for closing: Not a bug
But not leaking if an email is registered is not security by obscurity.
If the registration page just returns if an email is in use, then there is an issue with the registration page.
On the registration page, it should inform the user the reason why the form submission failed. This includes "A user with this username exists" and "The email address provided is already used" and other sites do this.