Fixed #31505 -- Doc'd possible email addresses enumeration in PasswordResetView.

This commit is contained in:
Mariusz Felisiak 2020-04-27 18:06:11 +02:00 committed by GitHub
parent 71d9876e39
commit ca769c8c13
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 0 deletions

View File

@ -1238,6 +1238,16 @@ implementation details see :ref:`using-the-views`.
:class:`~django.contrib.auth.forms.PasswordResetForm` and use the :class:`~django.contrib.auth.forms.PasswordResetForm` and use the
``form_class`` attribute. ``form_class`` attribute.
.. note::
Be aware that sending an email costs extra time, hence you may be
vulnerable to an email address enumeration timing attack due to a
difference between the duration of a reset request for an existing
email address and the duration of a reset request for a nonexistent
email address. To reduce the overhead, you can use a 3rd party package
that allows to send emails asynchronously, e.g. `django-mailer
<https://pypi.org/project/django-mailer/>`_.
Users flagged with an unusable password (see Users flagged with an unusable password (see
:meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't :meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't
allowed to request a password reset to prevent misuse when using an allowed to request a password reset to prevent misuse when using an