Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21326

Microsoft "safe links" interfers with password reset feature.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Minor
    • None
    • None
    • Security
    • Unknown
    • N/A
    • N/A

    Description

      Since the password reset link is one-time use, services such as Microsoft "safe link" break the password reset process by issuing a request to the link before the user does.

      It seems like a 'HEAD' requests are used for this, so filtering out those might help:

       

       

      diff --git a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/resetpasswordinline.vm b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/resetpasswordinline.vm
      index 2482cd2dd98..e7979907575 100644
      --- a/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/resetpasswordinline.vm
      +++ b/xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/resetpasswordinline.vm
      @@ -147,7 +147,7 @@ $services.localization.render('xe.admin.passwordReset.instructions')
           #elseif (!$services.csrf.isTokenValid($request.form_token))
               #resetPasswordBoxStart("danger")
               $services.localization.render('xe.admin.passwordReset.error.csrf')
      -    #else
      +    #elseif ($request.method.toLowerCase() != 'head')
               #validateFields($passwordFields, $request)
               #if (!$allFieldsValid)
                   #displayForm($stringtool.join($allFieldsErrors, "<br/>") $validationString)
      

       

       

      Attachments

        Issue Links

          Activity

            People

              surli Simon Urli
              aj Andreas Jonsson
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: