#7786 Invalidate pwd reset tokens after email change

v1.3.0
closed
Heith Seewald
security (36) sf-2 (994)
General
Dave Brondsema
2015-08-20
2014-10-30
Dave Brondsema
No

Password reset tokens should be invalidated after an email address change, so that any existing resets that went to a potentially compromised email address cannot be used.

Related

Git: f9ac6e1a

Discussion

  • Dave Brondsema

    Dave Brondsema - 2014-11-03
    • labels: security --> security, sf-2
     

  • Dave Brondsema

    Dave Brondsema - 2015-01-20

    And after a password change, for good measure.

     

  • Dave Brondsema

    Dave Brondsema - 2015-01-26
    • labels: security, sf-2 --> security, sf-2, sf-current
     

  • Igor Bondarenko - 2015-01-27
    • Owner: Anonymous --> Igor Bondarenko
    • Labels: security, sf-2, sf-current --> security, 42cc, sf-current, sf-2
    • Status: open --> in-progress
     

  • Igor Bondarenko - 2015-01-29
    • labels: security, 42cc, sf-current, sf-2 --> security, sf-current, sf-2
    • status: in-progress --> open
    • assigned_to: Igor Bondarenko --> nobody
     

  • Dave Brondsema

    Dave Brondsema - 2015-02-09
    • status: open --> review
    • Reviewer: Dave Brondsema
     

  • Heith Seewald - 2015-02-18
    • assigned_to: Heith Seewald
     

  • Dave Brondsema

    Dave Brondsema - 2015-02-19
    • status: review --> closed
    • private: Yes --> No
     

  • Dave Brondsema

    Dave Brondsema - 2015-02-23
    • labels: security, sf-current, sf-2 --> security, sf-2
     

  • Igor Bondarenko - 2015-06-18
    • Milestone: unreleased --> asf_release_1.3.0
     

Log in to post a comment.