Issue564

Title Password reset sends new password to wrong email
Priority bug Status chatting
Superseder Nosy List ezio.melotti, ikelly, kinggreedy, stephen
Assigned To Topics

Created on 2015-01-31.16:23:59 by ikelly, last changed 2015-03-28.17:55:05 by kinggreedy.

Files
File name Uploaded Type Edit Remove
forgotmail.diff kinggreedy, 2015-03-28.17:55:05 text/plain
Messages
msg2944 (view) Author: ikelly Date: 2015-01-31.16:23:59
I lost my password for bugs.python.org and tried to use the password reset tool, entering my personal email address. I received the confirmation email with the password reset link, but when I followed it, the tracker indicated that it had reset the password and sent email to a separate address, a work-related email address that I no longer have access to. No email showed up in my personal account.

Instead of or in addition to the primary email address on the account, it seems to me that these emails should at minimum be sent to the email address that was used to initiate the password reset.
msg2945 (view) Author: stephen Date: 2015-02-01.17:39:51
Ian Kelly writes:

 > Instead of or in addition to the primary email address on the
 > account, it seems to me that these emails should at minimum be sent
 > to the email address that was used to initiate the password reset.

I assume you mean that the email used to reset is in fact registered
as a secondary address on that user.  If not, it's clearly a major
security hole.
msg2946 (view) Author: ikelly Date: 2015-02-01.18:03:44
Yes, the email used to reset was a secondary address. I don't think an unregistered email could be used to start the reset process since it wouldn't identify the account.
msg2951 (view) Author: ezio.melotti Date: 2015-03-08.11:52:57
I think you should report this upstream: http://issues.roundup-tracker.org/
msg2953 (view) Author: kinggreedy Date: 2015-03-28.10:10:35
I think a fix for this is possible, and I'm looking into it
However, secondary email address(es) were not verified. Thus can create some security issue when user can reset their password. But I think it's not a big problem since changing primary email address also don't require user to verify their new email address
msg2954 (view) Author: kinggreedy Date: 2015-03-28.17:55:05
I've attached the patch regard to this issue
History
Date User Action Args
2015-03-28 17:55:06kinggreedysetfiles: + forgotmail.diff
assignedto: kinggreedy ->
messages: + msg2954
2015-03-28 10:10:35kinggreedysetmessages: + msg2953
2015-03-28 09:49:07kinggreedysetmessages: - msg2952
2015-03-28 08:46:35kinggreedysetassignedto: kinggreedy
messages: + msg2952
nosy: + kinggreedy
2015-03-08 11:52:58ezio.melottisetnosy: + ezio.melotti
messages: + msg2951
2015-02-01 18:03:44ikellysetmessages: + msg2946
2015-02-01 17:39:51stephensetstatus: unread -> chatting
nosy: + stephen
messages: + msg2945
2015-01-31 16:23:59ikellycreate