From e0c6a56263d4e6b1034d9bfe42b14f04624cbdfe Mon Sep 17 00:00:00 2001 From: Matthew Smith Date: Fri, 17 Jan 2020 13:13:16 +0000 Subject: [PATCH] Disable password reset as temporary fix to vulnerability (#396) Disabled password reset and left message notifying user of problem. In response to CVE-2019-19844 --- RIGS/templates/RIGS/password_reset_disable.html | 9 +++++++++ RIGS/urls.py | 2 +- RIGS/views.py | 4 ++++ 3 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 RIGS/templates/RIGS/password_reset_disable.html diff --git a/RIGS/templates/RIGS/password_reset_disable.html b/RIGS/templates/RIGS/password_reset_disable.html new file mode 100644 index 00000000..eec6e791 --- /dev/null +++ b/RIGS/templates/RIGS/password_reset_disable.html @@ -0,0 +1,9 @@ +{% extends 'base_rigs.html' %} + +{% block title %}Password Reset Disabled{% endblock %} + +{% block content %} +

Password reset is disabled

+

We are very sorry for the inconvenience, but due to a security vulnerability, password reset is currently disabled until the vulnerability can be patched.

+

If you are locked out of your account, please contact an administrator and we can manually perform a reset

+{% endblock %} \ No newline at end of file diff --git a/RIGS/urls.py b/RIGS/urls.py index 3630f7d0..46e70f10 100644 --- a/RIGS/urls.py +++ b/RIGS/urls.py @@ -19,7 +19,7 @@ urlpatterns = [ url('^user/login/$', views.login, name='login'), url('^user/login/embed/$', xframe_options_exempt(views.login_embed), name='login_embed'), - url(r'^user/password_reset/$', password_reset, {'password_reset_form': forms.PasswordReset}), + url(r'^user/password_reset/$', views.PasswordResetDisabled.as_view()), # People url(r'^people/$', permission_required_with_403('RIGS.view_person')(views.PersonList.as_view()), diff --git a/RIGS/views.py b/RIGS/views.py index 023f0089..f8494e25 100644 --- a/RIGS/views.py +++ b/RIGS/views.py @@ -392,3 +392,7 @@ class ResetApiKey(generic.RedirectView): self.request.user.save() return reverse_lazy('profile_detail') + + +class PasswordResetDisabled(generic.TemplateView): + template_name = "RIGS/password_reset_disable.html"