From 2cb5ec598388f5281e01e17e650421103b562b30 Mon Sep 17 00:00:00 2001 From: LefsFlare Date: Mon, 17 Oct 2016 10:08:40 +0800 Subject: [PATCH] Prevented user enumeration of valid users through HTTP status codes of login (#3639) (#3654) --- routers/user/auth.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/routers/user/auth.go b/routers/user/auth.go index 031ac026bd3..7117f1ec7f0 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -341,8 +341,10 @@ func ForgotPasswdPost(ctx *context.Context) { u, err := models.GetUserByEmail(email) if err != nil { if models.IsErrUserNotExist(err) { - ctx.Data["Err_Email"] = true - ctx.RenderWithErr(ctx.Tr("auth.email_not_associate"), FORGOT_PASSWORD, nil) + ctx.Data["Hours"] = setting.Service.ActiveCodeLives / 60 + ctx.Data["IsResetSent"] = true + ctx.HTML(200, FORGOT_PASSWORD) + return } else { ctx.Handle(500, "user.ResetPasswd(check existence)", err) }