https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292017-02-22T01:22:39ZRedmineRedmine - Defect #6254: Remove "Unknown user" notification on password request with non-existent email addresshttps://www.redmine.org/issues/6254?journal_id=768232017-02-22T01:22:39ZGo MAEDA
<ul><li><strong>Has duplicate</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/25144">Defect #25144</a>: Account Harvesting login issue</i> added</li></ul> Redmine - Defect #6254: Remove "Unknown user" notification on password request with non-existent email addresshttps://www.redmine.org/issues/6254?journal_id=768252017-02-22T01:32:55ZGo MAEDA
<ul></ul><p><a class="source" href="https://www.redmine.org/projects/redmine/repository/svn/entry/tags/3.3.2/config/locales/en.yml#L153">source:tags/3.3.2/config/locales/en.yml#L153</a>:<br /><pre>
notice_account_unknown_email: Unknown user.
</pre></p> Redmine - Defect #6254: Remove "Unknown user" notification on password request with non-existent email addresshttps://www.redmine.org/issues/6254?journal_id=768262017-02-22T01:39:55ZGo MAEDA
<ul></ul><p>Aron Rotteveel wrote:</p>
<blockquote>
<p>It would be better to have this form output a success message in every scenario in order to make e-mail harvesting harder.</p>
</blockquote>
<p>I completely agree. Redmine should always display <code>notice_account_lost_email_sent</code> ("An email with instructions to choose a new password has been sent to you.").</p> Redmine - Defect #6254: Remove "Unknown user" notification on password request with non-existent email addresshttps://www.redmine.org/issues/6254?journal_id=1074052022-07-21T08:02:25Zj l
<ul></ul><p>Hello,</p>
<p>I comment on this 12 years old defect because this is the only active one I found regarding this subject. <br />Is there a version in which this issue has been addressed, or a workaround ?</p>
<p>Thanks.<br />Regards,<br />JL</p> Redmine - Defect #6254: Remove "Unknown user" notification on password request with non-existent email addresshttps://www.redmine.org/issues/6254?journal_id=1074072022-07-21T09:49:42ZGo MAEDA
<ul><li><strong>File</strong> <a href="/attachments/29483">6254.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/29483/6254.patch">6254.patch</a> added</li></ul><p>The attached patch changes the message when the entered email address is invalid as follows. Comments are welcome.</p>
<p>Before: "Invalid user" <br />After: "An email with instructions to choose a new password has been sent to you"</p> Redmine - Defect #6254: Remove "Unknown user" notification on password request with non-existent email addresshttps://www.redmine.org/issues/6254?journal_id=1074682022-07-28T14:54:18Zj l
<ul></ul><p>This patch should indeed do the trick, thanks !</p>
<p>I would even suggest updating the message to more accurately reflect the reality. Something like "An email with instructions to choose a new password has been sent if the mail address matches an existing account"</p> Redmine - Defect #6254: Remove "Unknown user" notification on password request with non-existent email addresshttps://www.redmine.org/issues/6254?journal_id=1075952022-08-10T22:43:28ZMischa The Evil
<ul><li><strong>Has duplicate</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/37517">Defect #37517</a>: User disclosure vulnerability via "Forgot password" functionality</i> added</li></ul> Redmine - Defect #6254: Remove "Unknown user" notification on password request with non-existent email addresshttps://www.redmine.org/issues/6254?journal_id=1077172022-08-27T04:31:37ZMischa The Evil
<ul><li><strong>Target version</strong> set to <i>Unplanned backlogs</i></li></ul> Redmine - Defect #6254: Remove "Unknown user" notification on password request with non-existent email addresshttps://www.redmine.org/issues/6254?journal_id=1091912023-01-26T09:06:48ZGo MAEDA
<ul><li><strong>File</strong> <a href="/attachments/30138">6254-v2.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/30138/6254-v2.patch">6254-v2.patch</a> added</li><li><strong>Target version</strong> changed from <i>Unplanned backlogs</i> to <i>5.1.0</i></li></ul><p>Setting the target version to 5.1.0.</p> Redmine - Defect #6254: Remove "Unknown user" notification on password request with non-existent email addresshttps://www.redmine.org/issues/6254?journal_id=1092892023-02-07T03:52:53ZGo MAEDA
<ul><li><strong>Subject</strong> changed from <i>Remove 'invalid user' notification on password request with invalid e-mailadress</i> to <i>Remove "Unknown user" notification on password request with non-existent email address</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Assignee</strong> set to <i>Go MAEDA</i></li><li><strong>Resolution</strong> set to <i>Fixed</i></li></ul><p>Committed the patch.</p> Redmine - Defect #6254: Remove "Unknown user" notification on password request with non-existent email addresshttps://www.redmine.org/issues/6254?journal_id=1112652023-10-29T22:50:24ZMischa The Evil
<ul><li><strong>Start date</strong> deleted (<del><i>2010-08-31</i></del>)</li></ul>