juergen/ticketfrei
1
0
Fork 0
Code Issues 15 Pull requests Releases Wiki Activity

confirmation links don't expire #37

New issue
Closed
opened 2019-06-10 09:41:34 +00:00 by b3yond · 2 comments
b3yond commented 2019-06-10 09:41:34 +00:00
Copy link

Author: @b3yond Posted at: 16.09.2018 14:25

confirmation links don't expire yet. This means you can login without a password, if you find the confirmation link that created the account; works only if the frontend has not been restarted since then.

Steps to Reproduce:

  1. register account
  2. click on confirmation link once
  3. click on confirmation link a second time

Expected Behavior:

The first confirmation link redirects to the settings page, the second time to click on the link redirects to index with the error message "account already exists."

Actual Behavior:

Every time you click on the confirmation link you get redirected to the settings page. Also, a second account for the same city is registered.

Author: @b3yond Posted at: 16.09.2018 14:25 confirmation links don't expire yet. This means you can login without a password, if you find the confirmation link that created the account; works only if the frontend has not been restarted since then. ### Steps to Reproduce: 1. register account 2. click on confirmation link once 3. click on confirmation link a second time ### Expected Behavior: The first confirmation link redirects to the settings page, the second time to click on the link redirects to index with the error message "account already exists." ### Actual Behavior: Every time you click on the confirmation link you get redirected to the settings page. Also, a second account for the same city is registered.
b3yond added the
security
 label 2019-06-10 09:41:34 +00:00
b3yond commented 2019-06-10 09:41:35 +00:00
Author
Copy link

Author: @b3yond Posted at: 28.10.2018 12:21

This is kind of nice when you forget your password, actually. because you can just press on the old link. But well, this kind of behavior should not be encouraged of course.

The problem is, it actually creates a new user when you click on the link again. we now have two ticketfrei users with the same city etc.

Author: @b3yond Posted at: 28.10.2018 12:21 This is kind of nice when you forget your password, actually. because you can just press on the old link. But well, this kind of behavior should not be encouraged of course. The problem is, it actually creates a new user when you click on the link again. we now have two ticketfrei users with the same city etc.
b3yond commented 2019-06-10 09:41:35 +00:00
Author
Copy link

Author: @b3yond Posted at: 11.01.2019 11:43

I'm a bit ashamed that we left a security issue open for 4 months.

Author: @b3yond Posted at: 11.01.2019 11:43 I'm a bit ashamed that we left a security issue open for 4 months.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
refactoring
stable2
stable3
feature/ping
coc
stable1
2.1.4
2.1.3
2.1.2
2.1.1
2.1.0
2.0.1
2.0.0
1.1
2.0.0beta
1.0
Labels
Clear labels   
bug

   
enhancement

   
good first issue

   
help wanted

   
security

   
wait for upstream

   
wait to be tested
No labels
bug
enhancement
good first issue
help wanted
security
wait for upstream
wait to be tested
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: juergen/ticketfrei#37
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?