[3.0.x] Fixed #31505 -- Doc'd possible email addresses enumeration in PasswordResetView.

Backport of ca769c8c13df46b8153a0a4ab3d748e88d6e26f9 from master
2020-04-27 18:06:11 +02:00 · 2020-04-27 18:06:11 +02:00 · 04bc3577ed
commit 04bc3577ed
parent 657992cf19
1 changed files with 10 additions and 0 deletions
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@ -1248,6 +1248,16 @@ implementation details see :ref:`using-the-views`.
    :class:`~django.contrib.auth.forms.PasswordResetForm` and use the
    ``form_class`` attribute.

+    .. note::
+
+        Be aware that sending an email costs extra time, hence you may be
+        vulnerable to an email address enumeration timing attack due to a
+        difference between the duration of a reset request for an existing
+        email address and the duration of a reset request for a nonexistent
+        email address. To reduce the overhead, you can use a 3rd party package
+        that allows to send emails asynchronously, e.g. `django-mailer
+        <https://pypi.org/project/django-mailer/>`_.
+
    Users flagged with an unusable password (see
    :meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't
    allowed to request a password reset to prevent misuse when using an