Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rate limit password resets #13813

Closed
Findus23 opened this issue Dec 8, 2018 · 0 comments · Fixed by #13934
Closed

rate limit password resets #13813

Findus23 opened this issue Dec 8, 2018 · 0 comments · Fixed by #13934
Assignees
@sgiehl
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Usability For issues that let users achieve a defined goal more effectively or efficiently.
Milestone
3.11.0

Comments

@Findus23
Copy link
Member

Findus23 commented Dec 8, 2018

See also #13472 (comment)
followup to #13472 and #2888

Currently everyone can request an unlimited number of password requests which causes an unlimited amount of password reset emails which causes a mess in the inbox, overloads mailservers and may make it possible to let an attacker trick the user in accepting this request (#11071)
@Findus23 Findus23 added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Usability For issues that let users achieve a defined goal more effectively or efficiently. labels Dec 8, 2018
@sgiehl sgiehl self-assigned this Jan 6, 2019
@sgiehl sgiehl mentioned this issue Jan 6, 2019
Merged
@mattab mattab added this to the 3.9.0 milestone Jan 14, 2019
@mattab mattab modified the milestones: 3.9.0, 3.10.0 Mar 18, 2019
@mattab mattab modified the milestones: 3.10.0, 3.11.0 May 21, 2019
@mattab mattab mentioned this issue Jun 5, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sgiehl sgiehl

Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Usability For issues that let users achieve a defined goal more effectively or efficiently.
Projects
None yet
Milestone
3.11.0
Development

Successfully merging a pull request may close this issue.

Implements a rate limit for password resets matomo-org/matomo
3 participants
@mattab @sgiehl @Findus23