diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2019-01-15 20:14:56 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-01-15 20:14:56 +0100 |
| commit | a32577d04821a88d51e7f41a4ccf6bb1012fd3f3 (patch) | |
| tree | e3c46edde59681d01e0f59ea1af4786bee51300b /core | |
| parent | 53c077afc9077dcadcaf4b8ad62590fb549947b0 (diff) | |
| parent | f42115d6bbfa0c54f1ebb38b5884a6e4356d3738 (diff) | |
| download | nextcloud-server-a32577d04821a88d51e7f41a4ccf6bb1012fd3f3.tar.gz nextcloud-server-a32577d04821a88d51e7f41a4ccf6bb1012fd3f3.zip | |
Merge pull request #13595 from nextcloud/enh/do_not_leak_user_existence
Generic message on password reset
Diffstat (limited to 'core')
| -rw-r--r-- | core/Controller/LostController.php | 16 | ||||
| -rw-r--r-- | core/js/lostpassword.js | 2 |
2 files changed, 12 insertions, 6 deletions
diff --git a/core/Controller/LostController.php b/core/Controller/LostController.php index 8d1481dfc28..ed802aca582 100644 --- a/core/Controller/LostController.php +++ b/core/Controller/LostController.php @@ -39,6 +39,7 @@ use OCP\AppFramework\Utility\ITimeFactory; use OCP\Defaults; use OCP\Encryption\IEncryptionModule; use OCP\Encryption\IManager; +use OCP\ILogger; use \OCP\IURLGenerator; use \OCP\IRequest; use \OCP\IL10N; @@ -80,6 +81,8 @@ class LostController extends Controller { protected $timeFactory; /** @var ICrypto */ protected $crypto; + /** @var ILogger */ + private $logger; /** * @param string $appName @@ -108,7 +111,8 @@ class LostController extends Controller { IManager $encryptionManager, IMailer $mailer, ITimeFactory $timeFactory, - ICrypto $crypto) { + ICrypto $crypto, + ILogger $logger) { parent::__construct($appName, $request); $this->urlGenerator = $urlGenerator; $this->userManager = $userManager; @@ -121,6 +125,7 @@ class LostController extends Controller { $this->mailer = $mailer; $this->timeFactory = $timeFactory; $this->crypto = $crypto; + $this->logger = $logger; } /** @@ -236,10 +241,11 @@ class LostController extends Controller { // FIXME: use HTTP error codes try { $this->sendEmail($user); - } catch (\Exception $e){ - $response = new JSONResponse($this->error($e->getMessage())); - $response->throttle(); - return $response; + } catch (\Exception $e) { + // Ignore the error since we do not want to leak this info + $this->logger->logException($e, [ + 'level' => ILogger::WARN + ]); } $response = new JSONResponse($this->success()); diff --git a/core/js/lostpassword.js b/core/js/lostpassword.js index 084a53f412f..75e91ffac7a 100644 --- a/core/js/lostpassword.js +++ b/core/js/lostpassword.js @@ -2,7 +2,7 @@ OC.Lostpassword = { sendErrorMsg : t('core', 'Couldn\'t send reset email. Please contact your administrator.'), - sendSuccessMsg : t('core', 'The link to reset your password has been sent to your email. If you do not receive it within a reasonable amount of time, check your spam/junk folders.<br>If it is not there ask your local administrator.'), + sendSuccessMsg : t('core', 'We have send a password reset e-mail to the e-mail address known to us for this account. If you do not receive it within a reasonable amount of time, check your spam/junk folders.<br>If it is not there ask your local administrator.'), encryptedMsg : t('core', "Your files are encrypted. There will be no way to get your data back after your password is reset.<br />If you are not sure what to do, please contact your administrator before you continue. <br />Do you really want to continue?") + ('<br /><input type="checkbox" id="encrypted-continue" class="checkbox checkbox--white" value="Yes" />') |