Problem/Motivation
The actual password reset mechanism exposes a user enumeration security vulnerability defined as Testing for User Enumeration and Guessable User Account (OWASP-AT-002) by OWASP - Open Web Application Security Project.
When resetting the password, the actual status messages displayed to the user, depending if the user exists and is active, are:
- The username (or Email) belongs to a valid and active account: Further instructions have been sent to your email address..
- The username (or Email) belongs to a blocked user: %name is blocked or has not been activated yet.
- No account exists for that username or Email: %name is not recognized as a username or an email address.
The last 2 cases are helping a potential attacker, that is doing a user enumeration, to restrict the list candidates and identify usernames or user Email addresses that are real active users (as well as blocked users).
Along with the security aspect comes also the privacy side. Think of the following scenario:
Alice wants to check if her fiancé Bob is registered at "adult-dating.example.com", a well known Internet dating site run by Drupal. She visits
adult-dating.example.com/user/passwordand enters his mail addressbob@doe-family.example. If she gets the message "Further instructions have been sent to your e-mail address.", she'll know that there is a user registered with Bobs mail address (= Bob himself) or with a username matching his mail address (unlikely that it would be someone else).
Proposed resolution
- Remove message from validateForm that display user name and/or email.
- Change message in submitForm to display user input so they can check for typos but status that if it is valid an email is sent
Message agreed upon.
Patch #257 - "If %identifier is a valid account, an email will be sent with instructions to reset your password."
There have been suggested wording in the following comments.
#29 - "Due to privacy concerns, the policy of this web site is not to disclose the existence of registered email addresses. Hence, if you entered a valid email address, a password reset link are now being sent to it.
If the email address you entered does not exist, you will not get a reset link, and will neither get any confirmation or warning about that here. If you get an email, it should generally arrive within 30 minutes or so, sometimes instantly."
#39 - Suggested edits to the previous message.
#55 - cilefen thought the previous suggestions were too long and suggested "If the email address or username you provided is associated with a site account, you will receive an email with instructions for resetting your password."
#96 - "If an account exists with these credentials, password reset instructions will be sent to the email associated with the account."
#149 - "If this account is valid, you will receive password reset instructions in your inbox."
#229 - "If a matching active account was found, further instructions will have been sent to your email address."
#236 - "If that email address is in our database, we will send you an email to reset your password." From the OWASP Authentication Cheat Sheet Password recovery.
#247 - "If that email address is in our database, an email will be sent with instructions to reset your password."
#250 - "If someone@org.nz is in our database, an email will be sent with instructions to reset your password."
#255 - "If @identifier is a valid account, an email will be sent with instructions to reset your password."
#257 - "If %identifier is a valid account, an email will be sent with instructions to reset your password."
Remaining tasks
Agree on wording of the password reset messageReviewCommit to 9.2.0.- Debate backports.
- Re-roll as appropriate.
- Decide on a follow-up so that the password recovery message is configurable from the UI. See #237
User interface changes
Same message regardless the user exists, is active or blocked.
This also decreases usability for users since they might be resetting their password with the wrong email address and then wonder why they never get an email. Right now you immediately know that you typed in a wrong email address.
To avoid https://owasp.org/www-community/attacks/Content_Spoofing and to partially mitigate the UX regression that there's no feedback if you're typing something invalid, the form now at least validates that the input is either a valid username or a valid email address. If the input is neither, you get a validation error message about it (since that's not a privacy violation):

Decreased usability vs. better privacy is probably a tradeoff we accept.
Before
For both invalid username and email

After

or

API changes
2 new injected services are needed in the UserPasswordForm constructor. @see https://www.drupal.org/node/3189310
Data model changes
None.
Release notes snippet
Password reset form no longer indicates whether the provided username or email address is in the database.
| Comment | File | Size | Author |
|---|---|---|---|
| #310 | 1521996-310.patch | 21.85 KB | ankitv18 |
| #298 | interdiff-286-298.txt | 1.41 KB | sokru |
| #298 | 1521996-298.patch | 16.39 KB | sokru |
| #292 | Before.png | 5.88 KB | quietone |
| #292 | Invalid.png | 4.02 KB | quietone |
Comments
Comment #1
Leeteq commentedGood and important suggestion. :-)
Comment #2
pdrake commentedHow about if it says "Further instructions have been sent to emailhere@emaildomain.com." in both cases (the email does exist and the email does not exist). If emailhere@emaildomain.com contains a typo, this gives the user the opportunity to realize that they have mis-typed their email address and need to try again. If this was an attempt to obtain membership information, no such information has been exposed.
Comment #3
carsten müller commented+1 for this issue
i made a patch for it, containing the following changes:
Comment #4
carsten müller commentedComment #6
c-logemannI agree with the privacy issue.
I can imagine a lot of strategies how to handle the password reset in different ways.
The default handling of the core should be very save (like the strategy above) and a more complex or more open strategy can be realized with contrib modules.
Comment #7
carsten müller commentedfixed the test and fixed the patch
Comment #8
carsten müller commentedComment #9
c-logemannAbout patch of #7
Test with existing user OK.
Test with not existing gives the following error:
Comment #10
carsten müller commentedfixed the warning from #9
fixed whitespaces
Comment #11
rob c commentedGreat stuff! but i do have 1 question:
Is it an idea to make this a configurable option? E.g. "B.S. mode" enabled? I had the same problem with a module i was working on to resend a user's name via e-email via a similiar way pass reset works. I ended up creating a config option that is enabled by default, so the admin has the choice. (because sometimes you just want to get the real info.)
Can (obviously) also start a new feature request / bug ones this issue is fixed. (I'll add it to my list of wanna-haves anyway, for when i have some time left. Thinking about making this a site wide option, used by multiple functions, registration / contact form can also make use use of it, if only for pranksters / bots.) And added it to the list of related on #1837054: [META] Refactor account workflow (and config)
Comment #12
yesct commentedupdating issue summary
Comment #12.0
yesct commentedminor
Comment #13
webchickThis seems like something we could do at any time and not something that would be subject to feature freeze, so moving to a bug. However, since it's simply a security hardening thing, I'm making it a normal bug.
Comment #14
dave reidComment #15
yesct commentedmaking it configurable could be in the scope of this issue. I dont think we need a new feature request right away. lets see what we can do here.
Comment #15.0
yesct commentedUpdated issue summary to make it easer for new people
Comment #16
penyaskitoFor the user story in the summary, a user also could try to register with the same email, and will get a validation error saying:
"The e-mail address bob@doe-family.example is already registered."
If we try to fix this in Core we should also take the registration into account, which is probably more difficult to handle (what should we do instead?).
Comment #17
penyaskitoComment #18
carsten müller commentedComment #19
carsten müller commentedComment #20
carsten müller commentedUpdated issue summary - needs updating with issue summary template (how to: http://drupal.org/node/1427826)
Comment #21
carsten müller commentedPatch of #10 has to be rerolled.
Comment #22
carsten müller commentedadded rerolled patch user-reset-password-privacy-1521996-22.patch
now matching the new code of the user module
Comment #23
carsten müller commentedComment #24
carsten müller commentedComment #25
carsten müller commentedComment #26
carsten müller commentedfixed a bug in the #22 patch
Comment #27
carsten müller commented(novice) manual testing (how to: http://drupal.org/node/1489010)
Tested locally on my machine, tests have been adjusted too, waiting for testbot to run the tests.
(novice) check coding standards and documentation (how to: http://drupal.org/node/1487976)
Tested locally with php code sniffer (phpcs) within PHPStorm with the Drupal settings. Fine, except the following errors:
UserPasswordForm.php
UserPasswordResetTest.php
Writing more tests? Needs a test only patch so the bot can show it fails. (how to: http://drupal.org/node/1468170)
Don't know if we need more tests for this. There is already the UserPasswordResetTest testing a wrong account and a valid account.
Needs an interdiff (how to: http://drupal.org/node/1488712)
The patch has to rerolled because there were a lot of changes in the structure of the user module. Code was sourced out into separate files. Therefore an interdiff is not really possible i think. But it is not much stuff ...
Comment #28
carsten müller commentedComment #29
Leeteq commentedI think it makes a lot of sense to have the text customizeable, so that each site can determine the exact wording.
I also think that we might improve on the suggested wording here.
How about something a bit more clarifying, like:
Would also be great to have this backported to D7.
Comment #30
carsten müller commentedgood idea. Is there already a settings form, where it should be integrated?
How about the user settings?
And yes, if this is done for D8, i can create a patch for D7
Comment #31
no2e commented@penyaskito (#16): I created a separate issue:
#2346389: Prevent registered email address enumeration via user registration form
Comment #32
carsten müller commentedi add the administration setting for the text
Comment #33
carsten müller commentedI added the setting for this text within the Account settings form - admin/config/people/accounts - AccountSettingsForm.php.
Just reinstall after aplying the patch and it is there. I added the text from Leeteq from #29.
The setting is just below the personalization form.
Maybe somebody has improvements for the texts ...
Comment #35
carsten müller commentedmissed config settings schema for the new value
added it to the new patch
Comment #36
c-logemann@Carsten Müller: You've been busy today on this issue. Are you sprinting in Amsterdam?
Comment #37
carsten müller commentedComment #38
carsten müller commentednext steps
Comment #39
anagp commentedFollowing tests ran on patch #35:
1) Used reset password form with a valid email address already registered
2) Used reset password form with a valid email address not registered
3) Changed the string in the form admin/config/people/accounts
All tests worked as expected (from the users point of view). However it was possible to enter an empty string in 3. It might be a good idea not to allow this.
Regarding the placing of the settings in admin/config/people/accounts I agree that it is a good place.
I would like the texts to be a bit shorter and more to the point. So here are my suggestions taking into consideration that: I agree with the comment #2 that it might be a good idea to add the possibility of printing the entered username/email so that the user can check whether it was entered correctly; and that it might not be necessary for the user to know why the information about previous existing accounts is not printed.
1) Change:
To:
2) Change:
To:
3) Change:
To:
Comment #40
aunion commentedDue to the following commit the patch was no longer working, so I updated it
https://github.com/drupal/drupal/commit/66762a5361c1b1f2ab47d462681d804a...
Comment #41
yesct commentedComment #42
jain_deepak commentedRerolled
Comment #44
ankitgarg commentedRerolled.
Comment #45
jlbellidoAfter a little bit working on it @javiprada1 and me found this minor mistakes in #44:
is missed in #44
We have worked on it at sprintweekend2015
We still need to update the strings suggested in #39
Comment #46
manningpete commentedPatch applies.
Comment #47
luismagr commentedThe patch doesn't apply.
Comment #48
luismagr commentedI have rerolled the patch.
Comment #49
luismagr commentedComment #50
David_Rothstein commentedI think the privacy concern here is somewhat overstated, given that Drupal does not verify email address. Once I have an account on a Drupal site, I can edit the account and change the email address to president@whitehouse.gov. That doesn't prove that Barack Obama or his staff are members of the site.
With #85494: Use email verification when changing user email addresses it would be more of an issue though.
Comment #51
rogerrogers commentedA fairly rudimentary privacy issue. Any plans on backporting this fix for Drupal 7?
Comment #52
rogerrogers commented[Double posted]
Comment #53
cilefen commentedIt is tagged "Needs backport to D7" so, yes.
Comment #54
rogerrogers commentedThanks @cilefen for pointing that out. If you are in the know, any idea of the priority/timeframe?
Comment #55
cilefen commentedAccording to the backport policy this must be fixed in Drupal 8 before making it to Drupal 7. According to Allowed changes during the Drupal 8 release cycle, since this issue makes "string, markup, user interface, or render array changes", it must be postponed to 8.1, which will release in about 6 months.
The best thing anybody can do to move this along right now is to provide a detailed review. Here is a partial review:
I would not use the word "texts" in a sentence like this. "messages" would be fine. The whole sentence is wordy for me.
How is this text going to exist without a hook_update_N() setting it?
The default message is unnecessarily long. What about something like "If the email address or username you provided is associated with a site account, you will receive an email with instructions for resetting your password."?
Comment #58
sophie.skPicking this up, we have a client need.
Comment #59
sophie.skPatch re-rolled against latest 8.3 dev. Haven't included an interdiff as it's reasonably different but I can provide one if requested.
Some other changes:
* Removed 'include signatures' from the patch
* Changed text values so they are more concise
* Added an update function to set the value of password_reset_text for existing installations
* Removed extra form validation because that field is required
* Set the value in the admin form
Will work on a D7 backport. Gotta install D7 locally on shaky Dublin wifi first :-)
New patch attached. Did I hear that there should be a tests-only patch for testbot? This is the first time I've done core patches with tests so any advice on that would be appreciated.
Comment #60
sophie.skChanging status,
Comment #61
sophie.skPatch for Drupal 7.x dev attached. Default variable values!
Comment #64
sophie.skNope, I need to change directory first. Reuploading the correct D7 patch. Now to figure out why the D8 patch failed.
Comment #66
sophie.skI did wonder if there were tests in d7 ... new patches for both d7 and d8. I don't know why the d8 one is failing - I only changed two lines in that file and it's failing on something elsewhere.
Comment #67
sophie.skComment #69
sophie.sk7.x patch is ready for review, but I'm really not sure why the 8.x version is failing testing. Any thoughts appreciated.
Comment #70
sophie.skComment #72
markpavlitski commented@Sophie.SK the D8 test failure is because submission of the reset password form would previously have failed with a validation error, and so would re-present the same form.
Now it always appears to succeed with the generic message (and redirects to the login page.)
You'll need to amend testUserPasswordReset() and ensure that the form is loaded again with
$this->drupalGet('user/password');before the second *real* submission.Comment #73
lomasr commentedSmall typo in '#description' in #66 . Resubmitting the patch with correction.
Comment #74
aerozeppelin commentedAn attempt to fix failing tests from #66.
I wasn't sure how to proceed in a situation where a blocked user tries to reset his password ? Should the displayed message be
%name is blocked or has not been activated yet.or should it beIf an account exists with these credentials, password reset instructions will be sent to the email associated with the account.Any thoughts ?Comment #75
sophie.sk@aerozeppelin - The point of this issue is to *not* say "%name is blocked or has not been activated yet".
Attaching patch with typo amended for D7, and an updated version of the D8 patch, re-rolled against the latest 8.3.
Comment #78
kevinsiji commentedTested. #75 patch for D7 works.
Comment #79
sophie.skRe-queued patches for the failing environments. Not sure why they're failing; they still apply cleanly to latest dev versions of 7 and 8 (with no changes that I can see), and they're failing on tests that haven't been touched in any of this work.
Comment #80
sophie.skFinally figured out testbot for my D8 patch.
Still have no idea what the D7 testbot is doing! Resubmitting the same patch, passed all tests locally.
Comment #81
sophie.skUpdating issue summary to provide further tasks (for novices).
Comment #83
dpiAlthough I am for this issue, Disclosure of usernames and user ids is not considered a weakness should be considered
Comment #84
markpavlitski commented@dpi this issue also extends to email addresses.
Comment #85
aburrows commentedHad this on Drupalcamp London website - using https://www.drupal.org/project/username_enumeration_prevention solved it.
Comment #86
dpi@markpavlitski of course, I was only speaking for usernames :)
Comment #87
dpiwhoops, not that one
Comment #88
dpiRelated issue #2828724: Username enumeration via one time login route
Comment #89
dpiTry that again...
Comment #90
markpavlitski commentedThe tests are all green, so looks like it was a testbot issue. Marking for review.
Comment #92
sophie.skRerolled the patch against 8.4.x. The same patch applies and the interdiff is empty, so not uploading a new one.
Comment #93
swilmes commentedIs there a version of this patch that works for 8.3.0-rc2?
Comment #94
sophie.skSwilmes, you could try the latest version (which applied against 8.4 dev), or else the one in #80 above (working 8.3 version).
Comment #95
pfructuoso commentedLatest patch doesn´t apply to 8.4.x
Comment #96
pfructuoso commentedUpdated #80 patch to apply in 8.4.x
Before applying patch

After applying patch

Comment #97
pfructuoso commentedComment #98
kporras07 commentedI just tested this and it works exactly as expected. Marking RTBC
Comment #99
kporras07 commentedoops
Comment #101
alexpottThis needs to be
I don't get why we're creating a $count variable and changing
$this->assertEqual(count($this->drupalGetMails(['id' => 'user_password_reset'])), 0, 'No email was sent when requesting a password for an invalid account.');.As far as I can see only the first assertion needs changing.
Unrelated change. Out-of-scope.
This needs testing. Shouldn't be using t() - in fact it would probably be best if read the default config file and got the value from there. Less text to maintain. No need to have a $config_factory variable.
Only need this when logging the unknown or inactive.
I ummed and ahhed about this - given that we log 404s this makes sense. I think we should consider a logging different message for inactive accounts. To make it easy for a site administrator to why they are getting lots of invalid password reset form usage. The log messages need to be tested.
Only need to get this message once for the entire test.
Comment #102
harshit.kansal commented"If an account exists with these credentials, password reset instructions will be sent to the email associated with the account."
Message is relevant to update for this issue as:
"Email sent when requesting password reset using email address." message can still indicates that account exists on drupal site.
Comment #103
benjifisherI think the changes listed in #101 are clear enough that this issue still deserves the Novice tag.
Comment #104
David_Rothstein commentedThis really seems like bad usability to me, and all of it is in service of a level of privacy that I don't think most sites actually want or care about...
Is there a way we can keep the current behavior (helpful error message) in place by default, but make it easily configurable so that sites which do have extra privacy requirements can get rid of it and replace it with generic text?
Also:
I don't understand this help text. It doesn't say anything about supporting tokens a.k.a. variable substitution (the form doesn't even have that, does it?), so if it's just raw text with no variable substitution I don't see how it would even be possible for the administrator to include user-specific information in it even if they wanted to...
I'm pretty sure it should say "...to the email address associated with the account" instead.
Comment #105
cjgratacos commented@alexpott I went ahead and did from point 2 to point 7 from comment #101. I also applied the recomendations by @David_Rothstein on #103. Still a few things are missing due to my lack of knowledge on how it is done in the Drupal Core.
Points that still need to be done:
Comment #106
pritishkumar commentedComment #108
gordon commentedRe-roll Patch for 7.56
Comment #109
yogeshmpawarTriggering Test bots for the patch #108.
Comment #111
sophie.skAnd we're back on this one...!
Patch re-rolled for 8.4 but we'll need a new one for 8.5 no doubt.
Comment #113
mohit1604 commentedAny updates ?
Comment #115
robpowellI am working on this as part of SprintWeekend2018.
Comment #116
robpowellComment #117
robpowellThis hasn't succeeded since #96 which was on 8.4. I am going to reroll just those changes for 8.6 and then try to reapply #101 and #104.
Comment #118
robpowellComment #119
robpowellAwesome will add #105 and so what we get.
Comment #120
robpowellHere's the patch that incorporates #105. @cjgratacos, I updated the phpUnit document - with a huge help by @phenaproxima- let me know if those work for you.
Comment #121
robpowellComment #122
kristen polI'm going to test this so assigning to myself for now.
Comment #123
kristen polThanks for the update. I tested the patch in #120 locally and unfortunately it didn't work for me. Prior to the patch, I saw the
Sorry, john.doe@example.com is not recognized as a user name or an e-mail address.message text. After the patch (and running drush updb), I get redirected to the login page and there is no message.Steps I took:
I'll test on simplytest.me before switching the status just to be sure.
Comment #124
kristen polThis did work on simplytest.me so something must be up with my local.
Comment #125
kristen polI reviewed the code and noticed a couple nitpicks but otherwise it seems fine.
Nitpick: "Arrange constants" is odd wording.
Perhaps something like:
Define constants to be used in the tests.
Awkward wording. And, is there supposed to be a period after session? If it's session.variables then it should stay on one line.
Perhaps something like:
Verify access denied message is shown if password reset form is accessed without a session.
Comment #126
kristen polComment #127
mohit1604 commentedDid changes as per #125 1st point , 2nd point still to be done.
Comment #128
alexpottThis can/should be a post update. See core/modules/system/system.post_update.php
Also this won't work. In order to do this you need to read the value from the user module's supplied configuration.
So we need a test too.
Comment #129
kristen polComment #130
udayraj123 commentedA thought from a security tester's view -
https://hackernoon.com/username-or-password-is-incorrect-is-bullshit-899...
In the last paragraph, he's mentioned what would be the best practice according to him.
Comment #131
no2e commented#130: Yes, a solution is needed for the registration form, too. We have a separate issue for this:
#2346389: Prevent registered email address enumeration via user registration form
Comment #132
kristen polI was wondering why it didn't work on my local (see #123) but worked on simplytest.me (see #124) so I tried again on my local and I understand what is happening now. Per #128, the update hook doesn't do the trick.
I was able to get it to work on my local only by doing a full installation with the patch in place. It did not work when I had a fresh install and then applied the patch and then ran drush updb / drush cim / drush cr.
Comment #133
diamondseaAn additional way of determining existing accounts is to track the timing of the page response, as there will typically be a difference in the response time (might only be milliseconds, but detectable). A defense against this is to include a random delay function such as
usleep(rand(100, 750)); // add random delay of .1-.75 seconds to response to prevent timing attacksbefore returning the page.
This will add some wobble to the response time and prevent identifying existing accounts through this vector.
This will also slow down a brute force iteration of accounts, but at the expense of keeping server resources held a little longer.
The settings can be stored in the yml file so they can be overridden in settings.php if desired.
The same timing should be added in #2346389: Prevent registered email address enumeration via user registration form to prevent that from being iterated.
Comment #134
robpowell@alexpott re: #128, can you elaborate more on why the current update won't work and what testing needs to be added? From @kristen_pol testing, I see it works for a full install but doesn't for an already existing site.
I read the above code as, get the password_reset_text config from the user module.
Comment #135
Mike Lewis commentedI just tested #127 in local here at Drupalcon Nashville. I would call it a partial success. The
message is now gone, but it no longer says
even when I enter a good address.
Comment #136
webchuck commentedAttempting to fix #127 update issue. Hard coding the message into the hook_update_n() function.
Comment #137
kim.pepperReroll #136 and move update hook to post update.
Comment #139
kim.pepperFix for failing test.
Comment #140
lomasr commentedI tested the patch #139. I got no message after applying the patch. I think #135 still needs to be fixed.
Comment #141
acbramley commented@lomasr did you run the post update hooks? Applying the patch and running the updates works for me.
Comment #142
acbramley commentedFunctionally this looks good but there's still a couple of items outstanding from #101:
Need tests for this.
Need tests for this. We could also make it a one-liner.
@alexpott also suggested reading the text directly from the config install file.
Comment #143
kim.pepper#142
Comment #145
acbramley commentedWe shouldn't be using t() in tests.
Comment #146
zuhair_akReplaced t function with sprintf as mentioned in #145
Comment #149
lomasr commentedHow about message like this "If this account is valid, you will receive password reset instructions in your inbox."
Comment #150
zaporylie@lomasr - a similar message is already a part of the proposal, i.e. "If an account exists with these credentials, password reset instructions will be sent to the email address associated with the account."
Comment #151
lomasr commented@zaporylie - Looks good, I just suggested to have a shorter message with same meaning.
Comment #152
mjpa commentedSurely that shouldn't be there?
Comment #153
izus commentedHi,
tried to apply #146 but it needs a reroll.
here is the reroll of #146 with no addition nor modification
Comment #154
izus commentedHi,
here is a patch and the interdiff adressing #152
Thanks
Comment #156
izus commentedHi,
there was a patch change in a core commit yesterday so the patch didn't apply
the only difference between #154 and #156 is changing the path to UserPasswordResetTest.php file
Thanks
Comment #158
gaëlgI'll try to fix the last test error as part of DrupalEurope sprint.
Comment #159
mangy.fox commentedPatch from #139 no longer working on 8.6 due to a different test location, so rerolled.
Comment #160
elendev commentedI'll take a look and do the manual testing
Comment #161
elendev commentedI've been able to reproduce the issue without the patch, with the Umami and Out-of-the-box drupal installation :

I've applied the patch 1521996-156.patch (the 1521996-159.patch is not working, the path to the test class is not correct, I suppose it's the patch for D8.6).
When I try to retrieve the password with the known e-mail and with the unknown e-mail I get the following results :

The patch seems to work fine but the message is not displayed correctly (translation issue ?). I tried with French and English.
Comment #162
elendev commentedComment #163
mjpa commented@mangy.fox the patch in #159 does not address #152
Comment #164
mangy.fox commented@mjpa We just noticed that too! Here's another reroll with it removed.
Comment #165
gaëlgI don't know what to do with the test error in #156 (on 8.7.x). There are calls to ->assertErrorLogged() but this method is not in the class nor in the parent classes.
I found this method in :
- UncaughtExceptionTest
- Drupal\simpletest\TestBase
But we cannot extend these classes because we already extend another one. Should this method be moved to a trait?
Because of this, I guess this issue is not a novice one anymore?
Comment #166
claudiu.cristeaHere we go...
8.6.x.This test was converted to functional and javascript functional tests.
Needs an update path test.
Comment #167
claudiu.cristeaMore on this...
What is the reason for testing if the account is active?
Instead of
$account->id(), use!$account->isAnonymous().Also, what if the user is blocked? Should we send him also the E-mail?
EDIT: In fact we should move the whole logic in UserPasswordForm::submitForm() method. Now, that we don't show a validation error anymore, we should drop ::validateForm() entirely.
Comment #168
mangy.fox commentedReworked #164 for 8.6.x, and checked that it also applies to 8.6.3.
I have also made some changes, as suggested by @claudiu.cristea
* Removed the password reset text field from the UI, so now it has to be updated manually in config or overridden
* Simplified the default message
* Moved the logic from validation to submit as there is no validation to fail
* Updated the new functional tests
As far as I am aware, it is the "isActive" check that prevents blocked users from receiving the password reset email.
I'm not really sure what an update path test looks like so that is still to do.
Comment #169
huzookaTriggering testbot
Comment #170
Anonymous (not verified) commentedWouldn't this better be addressed by implementing a notifications plugin which would allow users to modify all their notifications and would expose an API to the plugins? In this case the User module would "publish" 3 user editable (through plugin UI) messages for the password reset form through the API. Such a plugin would even allow an even greater modularity for Drupal.
Hope this makes sense. If not, I will be happy to elaborate.
Comment #171
ronald.garcia commentedReroll #96.
8.4.x : PHP 7 : MySQL 5.6.35
password-reset-text-1521996-173.patch (8.25 KB)
Comment #172
alanhdev commentedRe-rolled the previous patch from #168 so it applies to 8.7.x
EDIT: Work in progress. That doesn't apply properly. I'll rework it.
Comment #173
alanhdev commentedRe-rolled patch from #168 to apply to 8.7.x
Comment #174
alanhdev commentedFixed a failing test in #173.
Comment #177
sharif.elshobkshy commentedHi guys.
For now, instead of applying a core patch, I'm trying (unsuccessfully) to override that validateForm function for UserPasswordForm.
As described above, I'm able to override the class and all public functions other than the validateForm.
Also, if I try to override the validate function in a hook_form_alter, like this:
It stills goes to the original validateForm callback.
Can anyone help me with this particular issue? Why am I not able to override the validateForm callback?
Thanks in advance.
UPDATE: Nevermind. I discovered I'm not able to override the validateForm because of a contrib module hardcoding and forcing the callback (user_registrationpassword).
Thanks.
Comment #178
ashu1629 commentedComment #179
ashu1629 commentedComment #180
ashu1629 commentedWrapping $message inside t() function in submit function. It is a change in patch https://www.drupal.org/files/issues/2018-11-14/password-reset-text-15219...
Comment #181
ashu1629 commentedHi guys,
The following patch does not use the configuration variable to set the message. This approach helps us in the following ways:
1. The message can be made translatable by passing it through t() function. Earlier we may need to pass the $message variable via t() which is not according to Drupal standards.
2. The message still cannot be changed using UI so security is maintained.
3. If anyone wants to change the message, he or she can do it using the translation interface easily. This right generally remains with the administrator, so security is also maintained.
cc @claudiucristea
Comment #182
ashu1629 commentedComment #183
ashu1629 commentedComment #185
matteodem commentedThis patch makes the configured message translatable.
Comment #186
darrenwh commentedRerolling the patch for the latest version of core 8.8.0
Comment #187
darrenwh commentedComment #189
darrenwh commentedRemoved my last contributed patch as it failed
Comment #190
darrenwh commentedBumping this up to a Major, the current functionality allows malicious visitors to find out if people have accounts on the site, if the site is of a sensitive nature it can have serious consequences.
Comment #191
klausiI think this should not be major because an attacker can also find out on the registration form if a certain email address has an account.
So this patch only helps if you have no registration form on your drupal site. Otherwise attackers can just use the registration form instead.
Please also note that other sites such https://github.com/ also have this vulnerability. I can check any email address if it has an account on the registration form.
This also decreases usability for users since they might be resetting their password with the wrong email address and then wonder why they never get an email. Right now you immediately know that you typed in a wrong email address.
So although the decreased usability vs. better privacy is probably a tradeoff we accept I still think this should not be major.
Comment #192
cilefen commentedGood points, and as far as I know, https://www.drupal.org/project/username_enumeration_prevention is the thing to use until this lands. On my *ehem* non-Drupal projects we tend not to allow enumeration this way if there is no registration feature.
Comment #193
alanhdev commentedThere are valid scenarios where it is not desirable that a site discloses whether a user account is active. It's especially relevant if the email address is used to log in.
However, the password reset process is only one of the potential points of disclosure. For instance, even if a generic login failure message is used, user flood protection will reveal the validity of a user as it is based on the account ID and IP rather than the actual name entered in the form.
In order for it to be worthwhile pursuing, all potential points of disclosure/enumeration must be covered. Arguably, this is an issue that would be better handled by enhancing the username_enumeration_prevention module for those that need it due to the nature of the site rather than trying to patch core to fix something that the community largely agrees isn't broken.
Comment #194
no2e commented@klausi (#191)
We have a separate issue for the registration form: https://www.drupal.org/project/drupal/issues/2346389
If 'major' is warranted for one, it should be given to both issues, I guess.
Comment #197
spudley commented@no2e yes, both issues should be major. Come on Drupal; you've had patches for this submitted over and over again for the best part of a decade. How is it not done already?
Comment #198
nginex commentedReroll against 8.9.x
Comment #199
ravi.shankar commentedWorking on this.
Comment #200
ravi.shankar commentedHere I have tried to fix failed tests.
Comment #202
jozzy_a commentedAlter patch 198/200 to work on 8.8.8
Comment #203
jozzy_a commentedComment #204
jozzy_a commentedComment #205
kristen polI'm unclear why the patches are being rolled against 8.*. It normally should be created against 9.1 and then it will be backported if it's eligible. Let me know if I'm missing a reason why 8.* is targeted.
Comment #206
jozzy_a commentedThis security vulnerability also has an impact on the 8.8.x branch.
According to https://www.drupal.org/project/drupal/releases/8.8.8 there would be security coverage until 2nd December 2020. This final patch created on this ticket should really be ported over to 8.8.x as there is 4 month left of the security coverage.
I am happy to create an additional issue for this patch to be rolled against the latest 8.8.x release?
Comment #207
kristen pol@jozzy_a Thanks. Normally the most recent version is targeted and then there are rerolls for previous versions as needed. Since the 8.8* patch is failing tests, IMO it would be good to focus on the 9.1 version first.
Comment #208
kristen polNot that we want more tags but working on this for the Bug Smash Initiative and forgot to tag it.
Comment #209
jozzy_a commentedComment #210
quietone commentedRerolling for 9.1.x
Comment #212
quietone commentedThe test is failing in the form validation where "%name is not recognized as a username or an email address." which contains information that according to the issue summary should not be displayed. Removing that from the validation allows the test to pass. Let's see if any other test fails.
Comment #213
longwaveI don't think this message is correct. First I think it should be "if your account is unlocked...", and second: how do I know if my account is "locked" (or unlocked)? I think we need to come up with something a bit more user friendly.
Removing "needs upgrade path tests" as this is just a straight change, there is no upgrade path here.
Comment #214
quietone commentedThe IS suggests using the string, "Further instructions have been sent to your e-mail address.". How about that?
Actually, maybe this needs the UX review?
Comment #216
vivek panicker commentedPatch seems to fail to apply.
Need to create a new one.
Comment #217
vivek panicker commentedComment #218
vivek panicker commentedChange the string
e-mailtoemailsince otherwise translations were breaking in my project.Comment #219
quietone commentedRerolled for 9.2.x after #86287: Password reset process ignores the user's language preference was committed.
Comment #220
quietone commentedOn a brief self review I noticed that a comment that needs changing.
s/using current language//
Comment #221
dwwI almost never use the UI for this, but a few days ago I had an occasion to do so. As the form submitted successfully, I said to myself: "that’s too bad, the UI confirms my email address for anonymous users." Then @quietone pinged about this in #bugsmash and I was happy to volunteer to review.
I see nothing else to improve here, either in the issue, nor the patch. Therefore, RTBC.
Thanks everyone!
-Derek
Comment #222
dwwSorry, I missed. ;)
Comment #223
alexpottThis value is no longer used. However I think we should still use it. It makes us less likely to break things like http://codcontrib.hank.vps-private.net/node/31023764#line-483
This code could be...
less change and less repeated loading of entities.
It's no longer error text - right? I think that the comment should be changed to say that this text is deliberately the same as the success message for privacy.
Comment #224
quietone commented@alexpott, thank you for the review.
This patch fixes all the points in #223.
Comment #226
dwwThanks, @alexpott, and sorry for not noticing #223.2. Agreed #224 is better.
The test fail is an unrelated JS random.
But instead of re-queing, maybe we can fix this, too:
This seems like an out-of-scope change. Sorry I didn't notice that before, either.
Thanks,
-Derek
Comment #227
quietone commentedRemoving out of scope change, thanks to dww on Slack.
The failing test is in \Drupal\Tests\field_layout\FunctionalJavascript\FieldLayoutTest::testChangingFormatterAndRegion which I hope is an unrelated random test failure. I don't think I have even been able to run FunctionalJavascript tests locally so won't be much help if it is not.
Comment #228
dwwThanks @quietone and @alexpott!
#223 is fully addressed, as is #226. Smaller, simpler patch with a tighter scope. Tests are passing as expected. All's well. Back to RTBC.
Cheers,
-Derek
Comment #229
mjpa commented1. The issue description mentions removing the "that email is blocked" message, because it still lets someone know that the user had an account. The patch in #227 doesn't remove that message. There's also the message stating the request was blocked as the account has had too many password reset attempts - this again lets someone know the email is used on an account. Unless I've missed something, both of those messages shouldn't be there?
2. I don't agree with the message "Further instructions have been sent to your email address." that gets shown regardless of it being a valid email or not, it suggests the email exists. We know its shown to everyone, but will it make someone trying to check if an email exists on an account assume an account does exist? Would something like "If a matching active account was found, further instructions will have been sent to your email address." be better?
Attached a patch addressing part 1 as I think that should be done. Patch does nothing for part 2 at it's just my opinion and looks to have been discussed previously and the message in the patch agreed on?
Comment #231
ressaThanks for weighing in @mjpa, perhaps you can include an interdiff to make it easier to spot the changes?
Comment #232
mjpa commentedYep, not a problem. Realised I'd forgotten about the tests, so this patch includes updates to the tests that I think are correct but want another set of eyes on them as there seems to be 2 different ways that the existing tests check if an email was sent?
Interdiff is between #226 and this patch, other than changes to the tests, its the same as #229.
Comment #233
mjpa commentedComment #234
alexpottIt feels a comment is worth it here to explain that the same message is used regardless of whether an email is sent to increase privacy.
Comment #235
quietone commentedAddressing #234, and #223, about adding a new comment in UserPasswordForm. Previously, I wrongly put it in the test.
Comment #236
quietone commented229.1. Yes, that should be changed too.
229.2 There is still work to do to agree on the text of the message. There the suggestion is "If a matching active account was found, further instructions will have been sent to your email address.".
I did some searching and testing with gitlab and my email service etc and came to the conclusion that the best option is to use the suggestion from the OWASP Authentication Cheat Sheet Password recovery which is "If that email address is in our database, we will send you an email to reset your password."
Comment #237
dpagini commentedI recently came across this issue and haven't read all the way back up here... This seems like it's getting pretty close lately to having some consensus.
What about agreeing on a default, and providing the message as a config value so sites can change it? Or maybe the default can be what's there today, and we can at least give sites a way to comply with OWASP recommendation?
Just some thoughts I had while reviewing...
Comment #238
quietone commentedNeeds a reroll because of #2409657: Login screen after requesting new password is irrelevant
Comment #239
quietone commentedThis patch implements the OWASP Authentication Cheat Sheet Password recovery suggestion of "If that email address is in our database, we will send you an email to reset your password."
Comment #240
quietone commentedUpdate after screenshot in the IS
Comment #241
larowlanShould this would be 'Make sure the status text is displayed
andeven if no email is sent'?Other than that, this looks great to me
Comment #242
quietone commentedYes, I agree. Although I added 'was', as well.
Comment #243
larowlanThis looks good to me
Comment #244
mjpa commentedLooks good to me too
Comment #245
dwwThanks for all the improvements and progress in here!
Re: #229.1: Good catch!
Re: #229.2: Yeah, I said something similar in #221.4. Addressed by #239.
Re: #234: 👍 Agreed.
Re: #236: 👍Sounds good.
Re: #237: If sites want to change this, they can alter the form. I think we should have a good default and not have a confusing config knob for this.
Re: #238: Thanks for the link, glad to see that other issue is now fixed, too. 😉
Re: #241: 👍 Agreed.
Re: #242: In light of #229.1, I applied the patch and carefully reviewed everything in validateForm() and submitForm(). Everything now looks great, with one possible super tiny nit:
It's a little jarring that these two similar
logger()calls are wrapped differently. Maybe worth being more consistent? Attached here in case @quietone and others think it's an improvement, but leaving #242 as the RTBC patch...Thanks again!
-Derek
p.s. Looking at
UserPasswordResetTestI see there's nothing that checks what ends up in the logs. That's nothing new. But I'm wondering if it's worth a follow-up to add some test assertions about logging activity in this whole process?Comment #246
quietone commented@dww, sorry about the jarring code. :-)
Yes, lets add a followup for tests. Good on you for checking on that. I have searched the user.module issue and I don't see a similar issue so it doesn't look like a new one would be a duplicate.
Comment #247
longwaveThis is probably bikeshedding but I don't think we use the "we" form elsewhere in messages. Also, sending the email doesn't reset the password by itself; further steps must be taken.
How about "If that email address is in our database, an email will be sent with instructions to reset your password."
Comment #248
quietone commentedOK, let's try that one.
Comment #249
alexpottTicked the credit boxes for people who have made comments that have helped move the issue along or changed the patch in a significant way.
As @penyaskito points out this is half the problem - the other half is #2346389: Prevent registered email address enumeration via user registration form - however given sites with a focus on privacy often don't allow registration I think it is okay to proceed here.
Comment #250
alexpottSo the thing we lose here is the usability of knowing when you've mistyped your email address. That's understandable given the aim of the issue. I think we can fix this by repeating the user input in this string. This was recommended a long long time ago in this issue... see #2 from @pdrake.
I think we should consider making the message:
Because then at least the user has the chance to think "oh drats" I mistyped that.
Comment #251
spokjeCreating patch addressing #250
Comment #252
spokjeLet's see what TestBot thinks about this patch addressing #250
Comment #253
quietone commentedAdd another suggested text to the IS and a new screen shot
Comment #254
dwwThanks again for the progress here. Almost RTBC! ;)
I'm not sure about "is in our database" for this text. That also seems out of step with most Drupal UI text. I originally proposed:
I agree with #250 that putting what the user typed into the message will help the UX concerns, so how about this?
Or something? 😉
Meanwhile, some more tiny nits:
This change is out of scope.
"emails was" isn't correct English grammar. Both need to be plural or both singular. "Ensure no further email was sent."
"a further email was sent" is a little clumsy. How about:
"Ensure another email was sent."
?
These 3 are fixed with the attached patch. I didn't want to unilaterally change the text, yet, so leaving that part for further consensus before making that change. If folks are happy with the old text, this patch is probably RTBC.
Thanks again,
-Derek
Comment #255
dwwHere's a patch for my proposed new wording:
If folks RTBC, they should be clear if they prefer #254 or #255.
Thanks!
-Derek
p.s. Also fleshed out code comments a bit in
assertNoValidPasswordReset()to hopefully be more clear.Comment #256
quietone commented@dww, thanks for another suggestion with patch.
It seems that the patch itself is considered RTBC, except for the wording of the user facing text. To resolve this how we split this into two issues one to put the structure in place (this issue) and another to improve the message. I am suggesting this because this is a security related issue and we should get something in ASAP and make improvements later.
Now, that still leaves the problem of what to use as the message right now in this patch. For that I would suggest we stick with the OWASP suggestion. And then in a followup discuss how to word that for our community.
Would that work for everyone?
Comment #257
alexpottI made a mistake when I suggested using the
@identifier- this should be%identifier. It should be really really clear what is the user supplied content.I've also been pondering whether we should add validation that
$form_state->getValue('name')is either a valid email address or a valid name in the form validation. See\Drupal\user\Plugin\Validation\Constraint\UserNameConstraintValidator::validate()and\Drupal\Component\Utility\EmailValidator::isValid(). This would prevent people from posting to this form and doing a reflected content sort of attack while still allowing a user to check their input if they've entered something that could be a username or an email address.Comment #258
spokje+1 for @quietone proposal in #256 to make the wording a separate, follow-up issue.
I can see this issue being open for another 8 years whilst we discuss wordings and eventually the suggested voice in your head to have the wording spoken out in. (I'm personally tied between Morgan Freeman and Samuel L. Jackson...)
I think the "general consensus" is that, besides the wording, the user-entered user-name/user-email-address should at least be in this message to prevent:
.
Comment #259
spokjeAttached patch addressed:
Keeping at
Needs workbecause this is not addressed yet:@alexpott in #257
Comment #260
dwwRe: #256 - Not up to me to decide, but a) we're very close here, b) we've already identified problems with the default OWASP suggestion, c) the whole point of this issue is changing the user-facing text, d) core still has its usability gates and all that. So I think we're better off doing it all at once.
Re: #257: 👍 for %identifier. Since the form takes both email addresses and usernames as input, and since all valid email addresses are valid usernames, the most we can do is check for a valid username. Valid email is more restrictive, but we have to allow input that's not valid email.
Re: #258 I don't think that's fair. We're not debating wordings for the sake of delay, we're trying to get this to the point that a core committer will actually commit it.
So here's validation for the username and a test. This would user be easier if we could simply use
user_validate_name()here. ;) That's not (yet?) deprecated, so it *should* be okay. So that's this patch. Much smaller change.Comment #261
dwwHere, we "properly" re-implement
user_validate_name()with DI and deprecation warnings and all that jazz. The lengths we go to avoid procedural code...This is incomplete, since:
a) I didn't open a CR for a nid in the deprecation message
b) I didn't add a deprecation test for calling the constructor without the new service
I don't think any of this is worth the hassle. If folks don't like user_validate_name(), we can do all this when that's deprecated. I much prefer #260. But if we need it, here's most of the code.
Thanks,
-Derek
Comment #262
larowlanThat feels out of scope here to me, its not clear if @alexpott meant in this issue, or as a follow-up - can you clarify @alexpott?
Comment #263
dwwRe: #262: Thanks for clarifying! If that's all for a follow-up, then #259 should be RTBC.
Also, so it doesn't get lost/forgotten, I opened #3189294: Add test coverage of logging performed by password reset form for the followup I proposed in the p.s. @ #245.
Cheers,
-Derek
Comment #264
alexpottLet's not remove this trim... it's fine and helpful. It means we need a slightly different text but that's okay.
This is not true... the username has a length limit shorter than email address therefore we also need to check whether the thing is a valid email address address. We might want to do that before doing the username validation or add it to the
if ($violations...Love this. Something like this is exactly what I was hoping to see :)
Comment #265
quietone commentedI was thinking the same as larowlan in #262.
@alexpott, can you clarify, please?
Comment #266
alexpott@larowlan / @quietone we're reflecting user input in a form for anonymous users I think we should be double careful about what we put into the message to make it hard to construct a message that would be misleading. Using user name validation and email validation limits what a user can inject in the message. I'm not concerned about XSS here - auto-escape will take care of that. It's more the user engineering that possible with reflected content attacks.
Comment #267
dwwOkay, I'll take a stab at #264.
Comment #268
quietone commented@alexpott, thank you. I agree that if this is reflecting user input then the extra work needs to be done. What I guess I didn't make clear is that I think adding the user input to the message which then requires doing due diligence and adding validation is out of scope. It should be done in a followup. However, we have a patch that adds that and, if consensus is to continue with it, I am fine with that.
@dww, thanks. It is too late for me work on this.
Comment #269
larowlanAh, yep didn't consider social engineering now we output the input values, good call
Comment #270
dwwOf course, @alexpott is correct on what's valid. ;)
1521996-268.test-only.patch is the code from #261 with the updated test for the super long email address case (with a tiny change to use the old error message text so we don't get a false negative on the invalid username assertions), plus drupalci.yml to only run this test.
1521996-268.patch is the full deal, should be green.
Interdiffs from #261 to both attached.
https://www.drupal.org/node/3189310 is the CR, so the @todo about that is gone.
I hope we don't also need deprecation tests for this.
New screenshots in the summary. Updated API changes. I didn't completely edit the remaining tasks about agreeing on the wording, since the current is basically my proposal and I'd rather someone else confirm we're agreed. ;)
RTBC?
Thanks!
-Derek
Comment #271
dwwSorry, d.o got confused by the x-post w/ @quietone + @larowlan :/
Comment #272
dwwArgh, I missed the closing ". ;)
Fixed that, and re-uploading #268 so the RTBC bot isn't confused.
Comment #274
longwaveI don't get why we trim after validating. If we are going to trim, isn't it friendlier to the user to do so before validating? e.g. if they are copying and pasting from somewhere and accidentally add a leading or trailing space, we remove it for them, as we can accept it anyway.
Comment #275
alexpott#274 +1 we should definitely trim before validating.
Comment #276
spokjeTrim-before-validation-patch attached addressing #274 and #275.
Comment #278
dwwComment #279
dww(sorry, comment #fail)
Yeah, if you trim() first, the test we added for an invalid username won't trigger. We need to violate the length or something else.
Comment #280
spokjeThanks @dww for the new patch.
I was looking at forcing an invalid username by applying two spaces in the middle:
but weirdly/interestingly that returns the validation-error message:
'multiple spaces' is not a valid username or email address., so without the multiple spaces in the username.Is this something for a follow-up or even this issue to fix, since we're not showing the exact user-input in the validation error message?
alexpott in #250
Comment #281
mjpa commentedRe #280: Is that not just browsers collapsing multiple spaces to 1 single one on display rather than Drupal doing something to them?
Comment #282
dwwIndeed, #281 is the answer to #280. It's how HTML works with whitespace. We'd have to do something unholy like use
<pre>inside there. Kinda whacky. I'm not sure any of it is worth any more effort.So, any final concerns with #279? RTBC?
Thanks again,
-Derek
Comment #283
alexpottI think it is absolutely fine that the validation error does not have the input
As we're erroring we don't need the identifier in the input in the error message. And this would allow for exactly the content spoofing we're adding the validation to prevent :) so let's not addd the identifier here. It's important to add the identifier to the success message because then we're telling the user everything might be successful.
Comment #284
quietone commentedOh, this is closer, Thanks everyone!
#283 I'll make a new patch but what is the text is to be used?
Comment #285
alexpott@quietone how about
The username or email address is invalid.Comment #286
spokjeAttached patch addresses #285
@quietone: I hope you'll forgive me, but I figured it's getting a tad late in New Zealand for patch-creating. Just trying to move this one along to RTBC (as we all are :) )
Comment #287
quietone commented@Spokje, no need for forgiveness, it is very considerate of you to be aware of my timezone. And it is more important to continue the progress here. We are sooo close! :-)
Comment #288
spokje@quietone:
Just prepping for an upcoming DrupalCon Trivia night. At some point they're bound to ask d.o. UIDs and timezones... 😇
Comment #289
longwaveAll concerns seem to have been addressed, this looks ready to go.
Comment #290
alexpottAs we're changing strings here we can only do this in 9.2.0. Also as this is a small but impacts a lot of user's experiences I think we should have a change record that details the changes in UX made by the issue. Also I think this should be featured in the 9.2.0 as a privacy improvement. I've seen custom and contrib code to address this issue. Therefore we need a release note snippet. Once we have the new CR and the release note snippet then we're go to go - i think.
Comment #291
quietone commentedUpdate IS and added a release note snippet.
That leaves the change record. Does the previous comment mean add a second change record or expand on the existing one?
Comment #292
quietone commentedBetter screenshots
Comment #293
quietone commentedSecond CR added. It needs formatting help.
Comment #294
spokje@quietone: I like the new CR. The only thing I would like to add is the before/after screenshots (as we have in this topic), but I'm not sure if that's even allowed in a UX CR?
Comment #295
alexpottI've re-formatted the new CR a bit so it's obvious what is CR text and what is a message produced by Drupal. I don't think we need to add images to the CR. The way the message looks is very dependent on your frontend theme.
Comment #296
spokje@alexpott:
Makes full sense to me.
Since I think we now addressed all the remarks in #290 are we now, indeed, good to go and can this issue be RTBC again?
Comment #297
quietone commented@Spokje, Yes I think this can go back to RTBC, but also don't think I should do it either.
Comment #298
sokru commentedPatch #286 failed to apply, so here's a reroll. Failed to create real interdiff, so attached is done with diff. Tested with reroll and will set to RTBC if tests pass.
Comment #299
sokru commentedWorks fine and looks good to me.
Comment #300
dwwGlad to see this RTBC, thanks! Reroll in #298 looks good when comparing locally. +1 to the RTBC.
Added #3192684: Comment name validation reveals whether an email or username is in use as a related issue. I searched, but didn't find any existing issues about it. Would love feedback on how to best solve that one. ;)
Thanks again,
-Derek
Comment #301
alexpottCommitted 5f04357 and pushed to 9.2.x. Thanks!
If someone want to backport this to Drupal 7 then a new issue will need to be opened.
Comment #303
c-logemannThanks everybody for contributing to this long term issue.
Comment #304
no2e commentedAwesome, thanks everyone!
In case someone is interested, we have the same issue with the registration form:
#2346389: Prevent registered email address enumeration via user registration form
Comment #306
izmeez commentedNow this is fixed in D9 is it time for the backport to Drupal 7, continuing with re-roll in comment #108 #1521996-108: Password reset form reveals whether an email or username is in use or do we need a new issue?
Comment #307
solideogloria commentedComment #308
dww@izmeez: Yes, a separate issue for the D7 backport is a good idea. Once an issue is "Closed (fixed)" a) it can't be reopened by regular users and b) the visibility on further comments is almost nil. So yes, if you care about trying to fix this for D7, a new child issue would be needed.
Thanks,
-Derek
Comment #309
izmeez commented@dww Thanks for direction. Backport issue created with re-rolled patch #3200198: [D7] password reset form prevent revealing email or username in use.
Comment #310
ankitv18 commentedRe-roll the patch for 8.9.x
Comment #311
wagu commentedRe-roll the patch for 9.1.x
Comment #312
joao sausen commentedThis same issue happens at Drupal\user\Controller\UserAuthenticationController::resetPassword()
Comment #313
avpaderno(I reverted the change to the IS done from wguesmi09, who removed all the text. I apologize for bumping this issue.)