Skip to content

Commit

Permalink
Lost pass disclosure fix (#89)
Browse files Browse the repository at this point in the history
FIX for issue #88 response from RESTfulAPI_TokenAuthenticator::lostPassword() is now the same regardless whether an email was sent or not
  • Loading branch information
UndefinedOffset authored and colymba committed Jan 4, 2018
1 parent 5833442 commit 3463f4e
Showing 1 changed file with 2 additions and 3 deletions.
5 changes: 2 additions & 3 deletions code/authenticator/RESTfulAPI_TokenAuthenticator.php
Original file line number Diff line number Diff line change
Expand Up @@ -217,7 +217,6 @@ public function lostPassword(SS_HTTPRequest $request)
{
$email = Convert::raw2sql($request->requestVar('email'));
$member = DataObject::get_one('Member', "\"Email\" = '{$email}'");
$sent = true;

if ($member) {
$token = $member->generateAutologinTokenAndStoreHash();
Expand All @@ -228,10 +227,10 @@ public function lostPassword(SS_HTTPRequest $request)
'PasswordResetLink' => Security::getPasswordResetLink($member, $token)
));
$e->setTo($member->Email);
$sent = $e->send();
$e->send();
}

return array( 'email' => $sent );
return array( 'done' => true );
}


Expand Down

0 comments on commit 3463f4e

Please sign in to comment.