Jelajahi Sumber

Merge pull request #178 from qor5/fix-security-issue

Respond with 'Email sent' regardless of whether a match occurred
Charles Shen 1 tahun lalu
induk
melakukan
50b1a850ac
1 mengubah file dengan 2 tambahan dan 6 penghapusan
  1. 2 6
      login/builder.go

+ 2 - 6
login/builder.go

@@ -964,12 +964,8 @@ func (b *Builder) sendResetPasswordLink(w http.ResponseWriter, r *http.Request)
 
 	u, err := b.userModel.(UserPasser).FindUser(b.db, b.newUserObject(), account)
 	if err != nil {
-		if err == gorm.ErrRecordNotFound {
-			setFailCodeFlash(w, FailCodeUserNotFound)
-			setWrongForgetPasswordInputFlash(w, WrongForgetPasswordInputFlash{
-				Account: account,
-			})
-			http.Redirect(w, r, failRedirectURL, http.StatusFound)
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			http.Redirect(w, r, fmt.Sprintf("%s?a=%s", b.resetPasswordLinkSentPageURL, account), http.StatusFound)
 			return
 		}
 		panic(err)