Fixed #14612 - Password reset page leaks valid user ids publicly.

Thanks to PaulM for the report.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14456 bcc190cf-cafb-0310-a4f2-bffc1f526a37

django/contrib/auth/tests/views.py

@@ -100,6 +100,12 @@ class PasswordResetTest(AuthViewsTestCase):
         self.assertEquals(response.status_code, 200)
         self.assert_("The password reset link was invalid" in response.content)
 
+    def test_confirm_invalid_user(self):
+        # Ensure that we get a 200 response for a non-existant user, not a 404
+        response = self.client.get('/reset/123456-1-1/')
+        self.assertEquals(response.status_code, 200)
+        self.assert_("The password reset link was invalid" in response.content)
+
     def test_confirm_invalid_post(self):
         # Same as test_confirm_invalid, but trying
         # to do a POST instead.

django/contrib/auth/views.py

@@ -143,13 +143,13 @@ def password_reset_confirm(request, uidb36=None, token=None, template_name='regi
         post_reset_redirect = reverse('django.contrib.auth.views.password_reset_complete')
     try:
         uid_int = base36_to_int(uidb36)
-    except ValueError:
+        user = User.objects.get(id=uid_int)
-        raise Http404
+    except (ValueError, User.DoesNotExist):
+        user = None
 
-    user = get_object_or_404(User, id=uid_int)
     context_instance = RequestContext(request)
 
-    if token_generator.check_token(user, token):
+    if user is not None and token_generator.check_token(user, token):
         context_instance['validlink'] = True
         if request.method == 'POST':
             form = set_password_form(user, request.POST)