Leaking of password reset token through the reset url 

I think it is possible to leak the password reset token since it is left in the url.   In Django 1.11 the token is stripped during a redirect ([docs](https://docs.djangoproject.com/en/1.11/releases/1.11/#django-contrib-auth), [code](https://github.com/django/django/blob/1.11.2/django/contrib/auth/views.py#L461)) to prevent the token from being taken in the referrer header from 3rd party apps on the page. I haven't dug too deeply into the source for this project but at a first glance it seems that the vulnerability exists.   If this is the case would be happy to help fix similar to [django-registration-redux](https://github.com/macropin/django-registration/pull/268), or at the very least alert you to the issue. Let me know if you guys need any help!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Leaking of password reset token through the reset url #80

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Leaking of password reset token through the reset url #80

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions