[zanata-bugs] [Bug 750104] New: Old email validation links don't expire

bugzilla at redhat.com bugzilla at redhat.com
Mon Oct 31 01:12:08 UTC 2011 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.

Summary: Old email validation links don't expire

https://bugzilla.redhat.com/show_bug.cgi?id=750104

           Summary: Old email validation links don't expire
           Product: Zanata
           Version: 1.4.2
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: unspecified
          Priority: unspecified
         Component: Security
        AssignedTo: runab at redhat.com
        ReportedBy: damason at redhat.com
         QAContact: dchen at redhat.com
                CC: zanata-bugs at redhat.com
             Group: redhat, private
   Estimated Hours: 0.0
    Classification: Community
      Story Points: ---
              Type: ---


Description of problem:
Clicking an old email validation link changes the user's email address even
when the link has already been used and the email address has been subsequently
changed.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.Sign in, navigate to 'My Profile' page
2.Click 'Edit Profile' and enter a different email address that you can check
3.Repeat step 2 with a different email address
4.Open the second validation email and click the validation link
5.Check in 'Edit Profile' page that email address has changed
6.Open the first validation email and click the validation link
7.Check in 'Edit Profile' page that email address has changed

Steps 4-7 can be repeated any number of times with the same results

Actual results:
Email address *always* changes to the address for which the validation link was
generated.

Expected results:
 - Only the most recent validation link changes email address, navigation to
other validation links shows an expiry message.
 - An 'already validated' message is shown if the most recent validation link
is used more than once.



Additional info:
If someone's account is compromised once, a validation link can be generated
that can be used forever to change the user's email address to the hacker's
email address. This could then be used to reset the password (I think only for
auto authentication).

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the zanata-bugs mailing list