Description of problem: Version-Release number of selected component (if applicable): 0.1.111-1 How reproducible: Steps to Reproduce: 1. Create a user account user1/password1 with an email address you can access 2. Log out 3. Click "Forgot password" 4. Fill out username/email to reset password 5. Retrive email, click the link. 6. Reset password 7. Click the link again Actual results: Allowed to reset password again Expected results: UI should display error like "This link has expired. Please use the password reset form on the login page if you need to reset your password". Additional info:
In fact, it would be even more secure if the link was invalidated the instant it is accessed (rather than only after the form is submitted). I think a sniffer could access the URL - if he races to fill out the form first, he would "beat" the legitimate user. But he could not access the url first - by the time he sniffs it, the legit user already beat him to it. I guess you'd have to create a cookie or something for the first access.
I was able to reproduce it under katello-0.1.130-1.git.0.216c0d8.el6.x86_64
git commit : 3461becab18a3cc79054d4e9d7f1f07d41170089 Updated logic to reset the token as part of updating the password. As a result, the token may only be used for updating the password 1 time.
Blocked
mass ON_QA move
Verified, katello-0.1.229-1.git.0.f2ad9e2.el6.noarch
Can this bug now be closed? katello-0.1.307-1.el6.src.rpm
getting rid of 6.0.0 version since that doesn't exist