Opened 2 months ago

Closed 2 months ago

#35834 closed Bug (wontfix)

PasswordResetForm doesn't forward exceptions when email sending fails

Reported by: Olivier LEVILLAIN Owned by:
Component: contrib.auth Version: 5.1
Severity: Normal Keywords:
Cc: Olivier LEVILLAIN Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

In PasswordResetForm, the code to send the reset email is:

       try:
            email_message.send()
        except Exception:
            logger.exception(
                "Failed to send password reset email to %s", context["user"].pk
            )

==> if the email sending fails (because for instance of an email password change), the user who asked for a reset will see it as a success and never receive his email and the admin will have to look at the logs to understand what happened
It would be better if the exception was forwarded and an error appears on the users screen.

Change History (1)

comment:1 by Tim Graham, 2 months ago

Resolution: wontfix
Status: newclosed
Type: UncategorizedBug

When submitting an issue like this, you should check why the code was added. In this case, your proposal is to revert a security patch:

In 8c35a0a903fd979e3262fe300ca084ffbfb300d6:

Fixed CVE-2024-45231 -- Avoided server error on password reset when email sending fails.

On successful submission of a password reset request, an email is sent to the accounts known to the system. If sending this email fails (due to email backend misconfiguration, service provider outage, network issues, etc.), an attacker might exploit this by detecting which password resetrequests succeed and which ones generate a 500 error response.

Note: See TracTickets for help on using tickets.
Back to Top