Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate HEAD requests properly before clicking on password reset link received via an email #2381

Closed
jbilandzija opened this issue Jun 21, 2023 · 3 comments · Fixed by #2392 or #2389
Closed

Validate HEAD requests properly before clicking on password reset link received via an email #2381

jbilandzija opened this issue Jun 21, 2023 · 3 comments · Fixed by #2392 or #2389
Labels
accepted Accepted the issue

Comments

@jbilandzija
Copy link
Contributor

SECURITY NOTICE: If you have found a security problem in the UAA, please do not file a public github issue. Instead, please send an email to security@cloudfoundry.org

Thanks for taking the time to file an issue. You'll minimize back and forth and help us help you more effectively by answering all of the following questions as specifically and completely as you can.

What version of UAA are you running?

We are using 76.13.0.

How are you deploying the UAA?

I am deploying the UAA

  • using a bosh release I downloaded from bosh.io

What did you do?

  1. User tries to reset his password by clicking "Reset password" on UAA Login screen.
  2. User provides email and clicks "SEND RESET PASSWORD LINK"
  3. User opens the link and receives "Sorry, your reset password link is no longer valid. You can request another one below."

Current observation

Users having these issues are using Outlook and probably Outlook's Safelink protection invalidates the link even before user can.

What did you expect to see? What goal are you trying to achieve with the UAA?

  • Passwort reset window opens to set a new password

What did you see instead?

Error panel saying "Sorry, your reset password link is no longer valid. You can request another one below."

Assumption

Outlook's safelink protection opens the link as HEAD request which is handled as GET. Potential fix would be to handle HEAD requests properly before clicking on password reset link received via an email
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/185449489

The labels on this github issue will be updated when the story is started.

@jbilandzija jbilandzija mentioned this issue Jul 3, 2023
Merged
@strehle
Copy link
Member

strehle commented Jul 4, 2023

you have created 2 PRs, are there more to come from your side ?

@strehle strehle linked a pull request Jul 4, 2023 that will close this issue
fix: Handle verify user requests with HEAD method #2392
Merged
@jbilandzija
Copy link
Contributor Author

@strehle That's all from my side

@strehle strehle linked a pull request Jul 8, 2023 that will close this issue
fix: Skip reset password requests with HEAD method (#2381) #2389
Merged
@cf-gitbot cf-gitbot added delivered accepted Accepted the issue and removed delivered labels Jul 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted Accepted the issue
Projects
Foundational Infrastructure Working Group
Archived in project
Milestone
No milestone
3 participants
@cf-gitbot @strehle @jbilandzija