Project

General

Profile

Actions

Task #105863

closed

Remove exposeNonexistentUserInForgotPasswordDialog setting in ext:felogin

Added by Torben Hansen about 2 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Should have
Assignee:
Category:
felogin
Target version:
Start date:
2024-12-26
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
14
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

When the setting exposeNonexistentUserInForgotPasswordDialog in ext:felogin is set to true, the password recovery process for frontend users will expose, if the given username or email address is found in the fe_users table. Although the setting is disabled by default, enabling it will allow user enumeration and may rise privacy concerns. Instead of providing an option that could lead to insecure setups, TYPO3 should adopt secure defaults and remove the possibility for administrators to inadvertently compromise security.

Actions #1

Updated by Gerrit Code Review about 2 months ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/87594

Actions #2

Updated by Torben Hansen about 1 month ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF