@sgiehl opened this Issue on January 14th 2021 Member

When the SMTP connection is not set up correctly, or failing due to other reasons like #17026, requesting for password recovery currently displays the full error message returned from the SMTP server. This could for example include the sender mail address or the login.
As the password recovery is public available we should consider not showing the full error message in this case.

@tsteur commented on January 14th 2021 Member

I suppose in many cases the login be the same as the sender and the sender is kind of maybe guessable? Nonetheless could be replaced maybe automatically by catching exception and throwing it again?

@sgiehl commented on January 15th 2021 Member

@tsteur Yes, exactly. Should be enough to do that for the password recovery only I guess, as that error message might be public visible

Powered by GitHub Issue Mirror