Password Broker has a security risk on accepting email parameter on GET requests #1991
Comments
mpyw
changed the title
|
Is it a large security risk to have emails appear in your server logs? Do you have any additional information on this, as well as alternative approaches - rather than just believing that one approach is bad? You could always put together a PR that implements your proposal and goes over the pros/cons of that approach. |
|
The handling of personal information in my company is very strict, and email is treated as sensitive information. Although not as strict as raw password, I believe that unnecessary logging should be avoided.
Yes, I'll submit PR when I have time. |
|
If it's a specific company policy then it's not exactly a large security risk, but rather a good opportunity for you to override the default notification in your application. Alternative approaches to this can be explored through PRs in the meantime. |
|
You're right, but I think the current implementation has fewer advantages over the new proposal. Current
Proposal
There are certainly passive reasons to keep the current implementation, but there seems to be no active reason. |
|
From a quick look it doesn't seem like password reset tokens are unique, so you can't look up a user from the token alone - which is what I think you're proposing. That proposal would also require that the tokens are required to be unique. The simplest solution would be to remove the email address from the link and require the user enters it again manually when choosing a new password, but that's a pretty poor user experience. |
|
@dwightwatson Absolutely. "email hash" (almost unique) + "secret" looks better, but it loses simplicity... |
|
@dwightwatson I realized that there are much room for rethinking. I'll discuss with my colleagues, thank you. |
mpyw
changed the title
[5.8] Pass notifiable email through reset link by dwightwatson · Pull Request #28475 · laravel/framework
From issue comment:
The text was updated successfully, but these errors were encountered: