From 24966c43bddbd291c4a067568c50fafad8b6f295 Mon Sep 17 00:00:00 2001
From: Caleb Forbes Davis V <caldavis@gmail.com>
Date: Sun, 28 Aug 2011 22:57:51 -0500
Subject: [PATCH] Avoids informing browser whether the username or email is a
 match

- pretends to have sent the email with the URL to change the password
  regardless of whether or not the email was actually sent. This
  avoids leaking user information to the browser
---
 mediagoblin/auth/views.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/mediagoblin/auth/views.py b/mediagoblin/auth/views.py
index 50276442..7ee89dfb 100644
--- a/mediagoblin/auth/views.py
+++ b/mediagoblin/auth/views.py
@@ -204,10 +204,7 @@ def forgot_password(request):
                {'$or': [{'username': request.POST['username']},
                {'email': request.POST['username']}]})
 
-        if not user:
-            fp_form.username.errors.append(
-                u"Sorry, the username doesn't exists")
-        else:
+        if user:
             user['fp_verification_key'] = unicode(uuid.uuid4())
             user['fp_token_expire'] = datetime.datetime.now() + \
                                       datetime.timedelta(days=10)
@@ -215,7 +212,8 @@ def forgot_password(request):
 
             send_fp_verification_email(user, request)
 
-            return redirect(request, 'mediagoblin.auth.fp_email_sent')
+        # do not reveal whether or not there is a matching user, just move along
+        return redirect(request, 'mediagoblin.auth.fp_email_sent')
 
     return render_to_response(
     request,
-- 
2.25.1