Opened 8 years ago
Last modified 8 years ago
#27518 closed Cleanup/optimization
HTTP Referer leaks password reset link — at Initial Version
| Reported by: | Romain Garrigues | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | 1.10 |
| Severity: | Normal | Keywords: | password reset |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Hi security team!
I read an article titled "Is Your Site Leaking Password Reset Links?" (https://robots.thoughtbot.com/is-your-site-leaking-password-reset-links) and I just realised that by using classic Django password_reset_confirm view, my reset password link was effectively sent to other websites in the HTTP Referer header.
The use case is this one:
- A customer receives a link to be able to reset his password on a Django powered website,
- He clicks on this link, arrives on a page with the password change form, and if on that page, there are calls to external resources, like cdn, the whole url will be sent in the HTTP header of the request,
- If he directly resets this password, no issue, the token is no more valid,
- If for any reason he doesn't reset his password straight away, some external website could get this url and change the password in behalf of the user.
Removing the HTTP Referer header (http://stackoverflow.com/questions/6817595/remove-http-referer) can be a solution, but wouldn't it interesting to implement some checks in Django password_reset_confirm view?
After some discussions with the security team, it has been classified as not really serious and could be discussed in public.
I will propose 2 approaches to solve it, with their respective issues.