Last modified: 2014-02-12 23:35:40 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T46151, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 44151 - Password recovery form has odd results if only one field is filled out
Password recovery form has odd results if only one field is filled out
Status: UNCONFIRMED
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.21.x
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-19 14:07 UTC by kiu
Modified: 2014-02-12 23:35 UTC (History)
7 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description kiu 2013-01-19 14:07:57 UTC 
1. Go to the wikipedia password recovery form

A) User only
  Enter "kiu" and request password
  Result: "Mail has been sent", but actually it isn't

B) Mail only
  Enter "kiu@gmx.net" and request password
  Result: "Mail has been sent", but actually it isn't

C) Both
  Enter "kiu" and "kiu@gmx.net" and request password
  Result: "This account doesn't have an email address assigned", may be true
Comment 1 Chris Steipp 2013-01-25 00:03:44 UTC 
Kiu, since this doesn't seem to be a security issue with the password reset function itself, I'd like to make it public so other people can help you out, but your name and email would then be public as well? Is that ok? Otherwise I'll close this bug and reopen a new bug that mentions the problem without your actual username and email.

In the meantime, I'm not able to duplicate, and that message "This account doesn't have an email address assigned" doesn't seem to exist. Could you post the actual text that you're seeing? (I'm assuming in German, since your other bug was about de.wikipedia.org)
Comment 2 kiu 2013-01-26 00:43:59 UTC 
Sure, you can make this public.

The message seems only to come on de.wp.com: Benutzer „Kiu“ hat keine E-Mail-Adresse angegeben.
The english wikipedia told me that a password was sent (not true).
Comment 3 Chris Steipp 2013-01-26 01:16:12 UTC 
So it's triggering the 'noemail' message on SpecialPasswordReset.php line 216. I'm not sure why it would do that if you have an email address also filled out, instead of just a username.
Comment 4 kiu 2013-01-26 01:22:26 UTC 
@Chris It actually means that the account i am trying to recover has no email associated to it. The error message is correct.

The question is why is en.wp.com not showing it ? Why are the other casing saying that an email was sent...
Comment 5 Tyler Romeo 2013-02-11 09:34:16 UTC 
Case B is intentional. When using only an email address, the reset form will always tell you the email was sent. Otherwise, somebody could use the reset form to iterate through email addresses and see if an account is registered for it.

I'm not sure why case A is happening, though.
Comment 6 NO_oBInc 2013-05-30 18:47:14 UTC 
Seems like there is same bug in Russian part of wiki.

I've tried to reset my password several times and found if you fill both fields "name" and "e-mail address" no e-mail sent. But if you fill only one field - everything is alright.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links