sends http (not https) link in password reset email
Bug #1771138 reported by
FC Stegerman
This bug affects 4 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Fix Released
|
High
|
Maximiliano Bertacchini |
Bug Description
Hi,
I just reset my launchpad password and noticed a http:// (instead of https://) link in the email I got, meaning the reset token is sent unencrypted when I click on it.
- Felix
Related branches
lp:~maxiberta/canonical-identity-provider/canonical-email-urls
- Celso Providelo (community): Approve
-
Diff: 814 lines (+87/-112)11 files modifieddjango_project/settings_test.py (+2/-0)
src/api/v10/handlers.py (+1/-2)
src/api/v10/tests/utils.py (+2/-1)
src/api/v20/handlers.py (+4/-7)
src/api/v20/registration.py (+3/-3)
src/api/v20/tests/test_handlers.py (+3/-5)
src/api/v20/tests/test_registration.py (+26/-31)
src/identityprovider/emailutils.py (+21/-22)
src/identityprovider/tests/test_emailutils.py (+23/-34)
src/webui/views/account.py (+1/-5)
src/webui/views/ui.py (+1/-2)
lp:~maxiberta/canonical-identity-provider/revert-r1653
- Celso Providelo (community): Approve
-
Diff: 814 lines (+112/-87)11 files modifieddjango_project/settings_test.py (+0/-2)
src/api/v10/handlers.py (+2/-1)
src/api/v10/tests/utils.py (+1/-2)
src/api/v20/handlers.py (+7/-4)
src/api/v20/registration.py (+3/-3)
src/api/v20/tests/test_handlers.py (+5/-3)
src/api/v20/tests/test_registration.py (+31/-26)
src/identityprovider/emailutils.py (+22/-21)
src/identityprovider/tests/test_emailutils.py (+34/-23)
src/webui/views/account.py (+5/-1)
src/webui/views/ui.py (+2/-1)
lp:~maxiberta/canonical-identity-provider/secure-email-links
- Celso Providelo (community): Approve
- Daniel Manrique (community): Approve
-
Diff: 263 lines (+143/-3)4 files modifiedsrc/identityprovider/emailutils.py (+8/-0)
src/identityprovider/tests/test_emailutils.py (+68/-1)
src/identityprovider/tests/test_utils.py (+54/-1)
src/identityprovider/utils.py (+13/-1)
information type: | Public → Public Security |
Changed in canonical-identity-provider: | |
assignee: | nobody → Maximiliano Bertacchini (maxiberta) |
status: | Triaged → In Progress |
Changed in canonical-identity-provider: | |
status: | In Progress → Fix Committed |
Changed in canonical-identity-provider: | |
status: | Fix Committed → Fix Released |
Changed in canonical-identity-provider: | |
status: | In Progress → Fix Committed |
Changed in canonical-identity-provider: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I could have sworn I remembered seeing another bug about this, but I can't find it. Bug 1747479 (private security) may be related, though isn't quite the same thing.