From 7de5359d04e4585c07b0b1a9e12e2ff639ee8b80 Mon Sep 17 00:00:00 2001 From: Alex <40072887+alexdcrane@users.noreply.github.com> Date: Thu, 22 Jan 2026 10:34:23 -0700 Subject: [PATCH] Security: Always show the password reset link sent message (#7712) --- resources/login.php | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/resources/login.php b/resources/login.php index 4d665ddbc2..2bc10188ac 100644 --- a/resources/login.php +++ b/resources/login.php @@ -148,30 +148,19 @@ //send reset link if (send_email($email, $email_subject, $email_body, $eml_error)) { //email sent - message::add($text['message-reset_link_sent'], 'positive', 2500); } else { //email failed //message::add($eml_error, 'negative', 5000); } } - else { - //not found - message::add($text['message-reset_link_sent'], 'negative', 5000); - } } - else { - //matched multiple users - message::add($text['message-reset_link_sent'], 'negative', 5000); - } } - else { - //not found - message::add($text['message-reset_link_sent'], 'negative', 5000); - } + //always show the email sent message + message::add($text['message-reset_link_sent'], 'positive', 2500); } //else { // //invalid email @@ -305,8 +294,8 @@ echo " }"; echo ""; -//send an email with the password reset link - if (isset($action) && $action == 'request' && !empty($_SESSION['valid_email'])) { +//email sent message + if (isset($action) && $action == 'request' && isset($_REQUEST['email'])) { echo "
\n"; echo "
".$text['label-email_sent']."
\n"; echo " ".$text['description-email_sent']."
\n"; @@ -314,7 +303,7 @@ } //request the email address - if (empty($_SESSION['valid_email']) && !isset($_SESSION['valid_reset'])) { + if (isset($action) && $action == 'request' && !isset($_REQUEST['email'])) { //create token $object = new token;